About the security dashboard

As an administrator, you can use the security dashboard to see an overview of different security reports. By default, each security report panel displays data from the last 7 days. You can customize the dashboard to view data from Today, Yesterday, This week, Last week, This month, Last month, or Days ago (up to 180 days).

To view more details about any of the reports, click View Report in the bottom-right corner of any panel. 

View trends

You can use the dashboard to quickly view trends—for example, to see at a glance whether external file sharing has increased or decreased during a specific time period. 

Each panel on the dashboard displays the percentage change over time of the data. For example, if the date range on the dashboard is set to the last 10 days and the number of authenticated messages has increased by 25% in the last 10 days, under Authenticated, you’ll see +25%. (Sometimes this percentage is not displayed due to insufficient data.)

To compare the current data to historical data, at the top right, from the Statistical analysis menu, select Percentile. On the dashboard, you’ll see an overlay on the line charts that shows the 10th, 50th, and 90th percentile of historical data (180 days for most data and 30 days for Gmail data).

What is the data retention for each report?

Depending on the security report type, data is retained between 30 and 180 days.

These reports have data from the last 30 days:

  • Attachments from untrusted senders
  • Authentication
  • Custom settings
  • Encryption
  • Message delivery
  • Spam filter
  • Spoofing
  • User reports

These reports have data from the last 180 days:

  • Compromised device events
  • File exposure
  • Failed device password attempts
  • OAuth scope grants by product
  • OAuth grant activity
  • OAuth grants to new apps
  • Suspicious device activities

What does external file sharing look like for the domain?

Available for G Suite Enterprise and Drive Enterprise

Use this panel for an overview of the number of sharing events to users outside of your domain for a specified time period, and the number of views. You can see the following details by clicking the tabs at the top of the panel:     

  • Shares—Number of sharing events on externally visible files
  • Views—Number of views of externally visible files

To view the File exposure report, click View Report. For details about the report, see File exposure report

About externally visible files

Externally visible files are files that are shared with these methods:

  • Public on the web—Anyone on the internet can find and access. No sign-in required.
    In the Link sharing window, the user chooses: On - Public on the web.
  • Anyone with the link—Anyone who has the link can access. No sign-in required.
    In the Link sharing window, the user chooses: On - Anyone with the link.
  • Shared externally with specific people—The users are outside of your domain.
    In the Link sharing window, the user chooses: Off - Specific people, and shares the file with a specific user outside of the domain.

Note:

  • For the external file sharing chart, the data displays a comparison to the last time range. For example, if you select a time range of Last 7 days, the delta shown in the chart is a comparison against the previous week.
  • There may be a delay of 1 hour or more for Drive data to be displayed in the security center for some domains.

How many messages were authenticated?

Available for G Suite Enterprise

Email authentication standards like DKIM and SPF can protect your domain from certain types of email threats like phishing. This chart shows inbound and outbound messages broken down by Authenticated and Unauthenticated:

  • Authenticated--Messages that meet email authentication standards like DKIM and SPF
  • Unauthenticated--Messages that don't have any email authentication

To view the Authentication report, click View Report. For details about the report, see Authentication report.

How many messages were affected by your custom settings?

Available for G Suite Enterprise

The consequence of messages sent to your domain (for example, whether messages are rejected, rerouted, whitelisted, or quarantined) is determined by how Gmail custom settings are configured for your domain. These settings can sometimes override Gmail's spam filter, which determines whether a message is marked as clean or spam.

The Custom settings panel enables you to quickly view how many messages in your domain were affected by a disagreement between your spam filters and custom Gmail settings:

  • All—Number of messages whose consequence was determined by your Gmail configuration
  • Disagree—Number of messages where your domain's Gmail configuration and Gmail's spam filter disagree on the consequence

To view the Custom settings report, click View Report. For details about the report, see Custom settings report.

How often are DLP rules violated in relation to severity?

Available for G Suite Enterprise and Drive Enterprise

You can use data loss prevention (DLP) rules to control what sensitive information users can share. 

From the DLP incidents panel, you can monitor the number of DLP incidents during the specified date range. Incidents are organized into 3 levels of severity—high, medium, and low. The total number of incidents by severity is displayed under the chart. 

To see more information about DLP incidents in your organization, click View Report. For details about the report, see View and customize the DLP incidents report.

What and when are the top incidents based on policies?

Available for G Suite Enterprise and Drive Enterprise

From the Top policy incidents panel, you can monitor the number of incidents for the top policy incidents during a specified date range.

From the chart, you can see the number of incidents for each policy organized by service (Google Drive and Gmail). Incidents are ranked by the highest number of policy incidents during a specified date range. At the bottom of the chart, you see the total number of incidents for the top policies for Gmail and Drive.

To see more information about top policy incidents in your organization, click View Report. For details about the report, see View the top policy incidents report.

How many messages were encrypted?

Available for G Suite Enterprise

You can monitor the security of your domain by viewing how many messages were encrypted with Transport Layer Security (TLS). 

TLS is a protocol that encrypts and delivers mail securely for both inbound and outbound mail traffic. It helps prevent eavesdropping between mail servers. Use the Encryption panel to view statistics related to TLS and to view trends over a specific time period--for example, whether the use of TLS is increasing or decreasing:

  • TLS—Messages that were sent using the Transport Layer Security (TLS) protocol
  • Non-TLS—Messages that were sent without using the Transport Layer Security (TLS) protocol

To view the Encryption report, click View Report. For details about the report, see Encryption report.

What does inbound message volume look like?

Available for G Suite Enterprise

The Gmail spam filter protects your domain by automatically rejecting most blatant spam and malware messages. Additionally, some Gmail advanced settings can override the spam filter and either accept or reject messages. Use the Message delivery panel to view how many messages were accepted, and how many messages were rejected for a specific time period:

  • Accepted—Number of messages that were accepted into the domain because of your Gmail settings or the Gmail spam filter 
  • Rejected—Number of messages that were blocked from entering the domain because of your Gmail settings or the Gmail spam filter.

To view the Message delivery report, click View Report. For details about the report, see Message delivery report.

How are incoming messages being routed?

Available for G Suite Enterprise

Messages can be marked as spam by the Gmail spam filter and placed in users' spam folders. Using the Spam filter - All panel, you can view how many messages were marked as spam, phishing, or malware during a specific time period. 

If a message is considered suspicious but also has positive qualities (for example, if the message's sender is whitelisted) then the message may be placed in a user's inbox. Incoming messages are placed in one of these two destinations:

  • Spam folder—Number of messages that are confirmed to be spam, phishing, or malware that are placed in the user’s spam folder.
  • Inbox—Number of messages that are marked as clean, or that are considered suspicious but also have positive qualities, that are placed in the user’s inbox.

Note: Third-party inbound mail filtering systems can sometimes affect Spam results and therefore affect the data in the Spam filter - All panel. Additionally, some Gmail custom settings can override the spam filter and either accept or reject messages.

To view the Spam filter report, click View Report in the Spam filter - All panel. For details about the report, see Spam filter report.

How are potential phishing emails being routed?

Available for G Suite Enterprise

Messages can be marked as phishing by the Gmail spam filter and placed in users' spam folders. Using the Spam filter - Phishing panel, you can view how many messages were marked as phishing during a specific time period.

If a message is considered suspicious but also has positive qualitiesfor example, if the message's sender is whitelistedthen the message may be placed in a user's inbox. Incoming messages identified as possible phishing threats are placed in one of these two destinations:

  • Spam folder—Number of messages that are confirmed to be phishing that are placed in the user’s spam folder.
  • Inbox—Number of messages that are marked as clean, or that are considered suspicious but also have positive qualities, that are placed in the user’s inbox.

Note: Third-party inbound mail filtering systems can sometimes affect Spam results and therefore affect the data in the Spam filter - Phishing panel. Additionally, some Gmail custom settings can override the spam filter and either accept or reject messages.

To view the Spam filter report, click View Report in the Spam filter - Phishing panel. For details about the report, see Spam filter report.

When were messages marked as malware?

Available for G Suite Enterprise

Messages can be marked as malware by the Gmail spam filter and placed in users' spam folders. Using the Spam filter - Malware panel, you can view how many messages were identified as malware during a specific time period. 

Incoming messages can be identified as malware either before or after they are delivered to a user’s inbox:

  • Pre-delivery—Messages with attachments confirmed to be malware before they are delivered are placed in the user’s spam folder, with the attachments disabled.
  • Post-delivery—Messages with attachments that pass initial malware checks are placed in the user’s inbox, but may be identified as malware after the fact by longer-running malware scans. Attachments are disabled once they are classified as malware.

To view the Spam filter report, click View Report in the Spam filter - Malware panel. For details about the report, see Spam filter report.

How are users marking their emails? 

Available for G Suite Enterprise

Email users can report messages in their inboxes as spam, not spam, or phishing. In Gmail, this action trains the system to identify similar messages as spam, not spam, or phishing in the future. From the User reports panel on the Overview page, you quickly view these statistics for a specific time period:

  • Not spam—Number of messages marked as Not spam
  • Spam—Number of messages marked as Spam
  • Phishing—Number of messages marked as Phishing

To view the User reports report, click View Report. For details about the report, see User reports report.

How many times were there failed password attempts on devices? 

Available for G Suite Enterprise and Cloud Identity Premium Edition

Only devices under advanced management are included in this report.

A failed password attempt is defined as 6 consecutive unsuccessful password attempts made from a device, with each subsequent unsuccessful attempt counting as an additional failed attempt. 

For example, 6 consecutive failed attempts would count as 1 failed attempt, 7 consecutive failed attempts would count as 2, 8 consecutive failed attempts would count as 3, and so on.

From the Failed device password attempts panel, you can view the number of failed attempts over time. 

To view the Failed device password attempts report, click View Report. This enables you to view more details about these events, including the device IDs and the device owners. For details about the report, see Failed device password attempts

Note: This panel provides data for Android devices only, and not for iOS devices.

What compromised device events have been detected? 

Available for G Suite Enterprise and Cloud Identity Premium Edition

Only devices under advanced management are included in this report.

A device may be counted as compromised if certain unusual events are detected:

  • iOS devices—An iOS device is counted as compromised if the device has been jailbroken. A jailbreak might enable the installation of unofficial apps, the modification of previously restricted settings, or the bypassing of security controls. 
  • Android devices—An Android device is counted as compromised if the device has been rooted. If a device is rooted, users might be able to modify the software code on the device, or install software that's normally not allowed by the manufacturer.

From the Compromised device events panel, you can view the number of compromised device events during the time range that you set on the security dashboard.

To view the Compromised device events report, click View Report. This enables you to view more details about these events, including the device IDs and the device owners. For details about the report, see Compromised device events

Note: This panel provides data for both Android and iOS devices.

What suspicious device activities have been detected? 

Available for G Suite Enterprise and Cloud Identity Premium Edition

Only devices under advanced management are included in this report.

If a device property is updated on a mobile device, this change is counted as a suspicious activity. Device properties include the serial number, the device model, the name of operating system, and more.

From the Suspicious device activities panel, you can view the number of suspicious device activities during the time range that you set on the security dashboard. 

To view the Suspicious device activities report, click View Report. For details about the report, see Suspicious device activities.

Note: This panel provides data for Android devices only, and not for iOS devices.

What does OAuth scope grants look like by product?

Available for G Suite Enterprise, Drive Enterprise, and Cloud Identity Premium Edition

OAuth scopes allow apps to request well-defined, limited access to certain user data. By specifying OAuth scopes, an app lets the user know what permissions or access it needs. Access is provided to the app if the user permits it.
From the OAuth scope grants by product panel, you can see the number of OAuth scope grants over time for Gmail, Drive, Calendar, G Suite Admin, Contacts, Identity, and all other products such as Google+ and Chat.

The chart displays OAuth scope grants for the following products:

  • Gmail
  • Drive
  • Calendar
  • G Suite Admin
  • Contacts
  • Identity
  • All other products (such as Google+ and Chat)

To view more details about OAuth scope grants, click View Report. For details, see OAuth scope grants by product.

Which apps have had the highest change in OAuth grant activity?

Available for G Suite Enterprise, Drive Enterprise, and Cloud Identity Premium Edition

OAuth (Open Authorization) is an open standard that grants permission to third-party services to access a user's account information without exposing the user's password.

From the OAuth grant activity panel, you can monitor the OAuth grant activity in your organization.

Apps in the OAuth grant activity panel are ranked by the highest OAuth grant activity change during a specified time period.  This chart compares the time period that you specify on the dashboard against the previous time period of the same duration.

The chart displays the following:

  • App name
  • Number of OAuth grants since the last time period
  • Percentage change (increase or decrease) since the last time period

To view more details about OAuth grant activity, click View Report. For details about the report, see OAuth grant activity report.

Which new apps have been granted OAuth tokens?

Available for G Suite Enterprise, Drive Enterprise, and Cloud Identity Premium Edition

From the OAuth grants to new apps panel, you can monitor which new apps have been granted OAuth tokens.

This chart compares the time period that you specify on the dashboard against the previous time period of the same duration.

The chart displays the following:

  • App name
  • Number of OAuth grants

To view more details about OAuth grants to new apps, click View Report. For details about the report, see OAuth grants to new apps report.

Which messages have attachments from untrusted senders?

Available for G Suite Enterprise and Cloud Identity Premium Edition

From this panel, you can view the number of messages with attachments from untrusted senders.

Untrusted senders are senders with no prior Gmail history, or have a low sender reputation. Attachments from untrusted senders, particularly those attachments that are encrypted or contain scripts, present a higher risk of malicious content. 

To view the Attachments from untrusted senders report, click View Report. For details about the report, see Attachments from untrusted senders report.

Which messages show evidence of potential spoofing?

Available for G Suite Enterprise and Cloud Identity Premium Edition

From the Spoofing panel, you can view the number of messages showing evidence of potential spoofing. Messages showing evidence of potential spoofing may contain phishing attempts.

To view the Spoofing report, click View Report. For details about the report, see Spoofing report.

What login challenge methods have been used?

Available for Beta customers of G Suite Enterprise, Drive Enterprise, and Cloud Identity Premium Edition

There are various login challenge methods available that may be in use across your user base. In this chart, the login challenge methods are displayed by percentage of use in your domain.

Enforcing a 2-Step Verification (2SV) login challenge (also known as two-factor authentication) adds an extra layer of security to user accounts. Users with 2SV enforced will need to sign in with something they know (a password) and something they have (a code sent to their phone, for example).

To view the User login attempts report, click View Report. For details about the report, see User login attempts report.

How many times were there failed user login attempts?

Available for Beta customers of G Suite Enterprise, Drive Enterprise, and Cloud Identity Premium Edition

If a user attempts to log in to their account and is unsuccessful, it is counted as a failure. This chart helps you identify any spikes or suspicious changes in the amount of failed logins for your domain.

To view the User login attempts report, click View Report. For details about the report, see User login attempts report.

How many times were there suspicious user login attempts?

Available for Beta customers of G Suite Enterprise, Drive Enterprise, and Cloud Identity Premium Edition

A login attempt is considered suspicious if it had unusual characteristics -- for example if the user logged in from an unfamiliar IP address. 

To view the User login attempts report, click View Report. For details about the report,see User login attempts report.

Related topics

Was this article helpful?
How can we improve it?