Supported editions for this feature: Frontline Standard; Enterprise Standard and Enterprise Plus; Education Standard and Education Plus; Enterprise Essentials Plus. Compare your edition
As an administrator, you can use the security dashboard to see an overview of different security reports. By default, each security report panel displays data from the last month. You can customize the dashboard to view data from Today, Yesterday, This week, Last week, This month, Last month, or Days ago (up to 180 days).
Note: The availability of each individual report on the security dashboard depends on your Google Workspace edition. Therefore, you may not have access to all of reports described below.
View and use the dashboard
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
-
In the Admin console, go to Menu
Security
Security center
- To view more details about any of the reports, click View Report in the bottom-right corner of any panel.
For details about data retention and availability, see Data retention and lag times for the security dashboard.
Available reports with Google Workspace
The following reports are available when viewing the Security dashboard with your Google Workspace account:
†Not available with Frontline Standard or Enterprise Standard
See also available reports with Cloud Identity.
Available reports with Cloud Identity
The follow reports are available when viewing the Security dashboard with your Cloud Identity account:
See also available reports with Google Workspace.
View trends
You can use the dashboard to quickly view trends—for example, to see at a glance whether external file sharing has increased or decreased during a specific time period.
Each panel on the dashboard displays the percentage change over time of the data. For example, if the date range on the dashboard is set to the last 10 days and the number of authenticated messages has increased by 25% in the last 10 days, under Authenticated, you’ll see +25%. (Sometimes this percentage is not displayed due to insufficient data.)
Compare current and historical data
To compare the current data to historical data, in the top right, from the Statistical analysis menu, select Percentile (not available for all Security dashboard charts). You’ll see an overlay on the chart to show the 10th, 50th, and 90th percentile of historical data (180 days for most data and 30 days for Gmail data). Then, to change the analysis, at the top right of the chart, use the menu to change the overlay line.
Data retention and lag times for the security dashboard
Data retention
Depending on the security report type, data is retained for 30 or 180 days.
These reports have data from the last 30 days:
- Suspicious attachments
- Authentication
- Custom settings
- Encryption
- Message delivery
- Spam filter
- Spoofing
- User reports
These reports have data from the last 180 days:
- Compromised device events
- File exposure
- Failed device password attempts
- OAuth scope grants by product
- OAuth grant activity
- OAuth grants to new apps
- Suspicious device activities
- User login attempts
- Chrome threat summary
- Chrome data protection
- Chrome high risk users
- Chrome high risk domains
- Client-side encryption
- Client-side decryption
Lag times
It takes time before data is available for the various dashboard reports. For each of the predefined dashboard reports, lag times are approximately 4 hours. For custom reports, lag times are less than 1 hour.
What does external file sharing look like for the domain?
Use this panel for an overview of the number of sharing events to users outside of your domain for a specified time period, and the number of views. You can see the following details by clicking the tabs at the top of the panel:
- Shares—Number of sharing events on externally visible files
- Views—Number of views of externally visible files
To view the File exposure report, click View Report. For details about the report, see File exposure report.
About externally visible files
Externally visible files are files that are shared with these methods:
- Public on the web—Anyone on the internet can find and access. No sign-in required.
In the Link sharing window, the user chooses: On - Public on the web. - Anyone with the link—Anyone who has the link can access. No sign-in required.
In the Link sharing window, the user chooses: On - Anyone with the link. - Shared externally with specific people—The users are outside of your domain.
In the Link sharing window, the user chooses: Off - Specific people, and shares the file with a specific user outside of the domain.
Note:
- For the external file sharing chart, the data displays a comparison to the last time range. For example, if you select a time range of Last 7 days, the delta shown in the chart is a comparison against the previous week.
- There may be a delay of 1 hour or more for Drive data to be displayed in the security center for some domains.
How many messages were authenticated?
Email authentication standards like DKIM and SPF can protect your domain from certain types of email threats like phishing. This chart shows inbound and outbound messages broken down by Authenticated and Unauthenticated:
- Authenticated--Messages that meet email authentication standards like DKIM and SPF
- Unauthenticated--Messages that don't have any email authentication
To view the Authentication report, click View Report. For details about the report, see Authentication report.
How many messages were affected by your custom settings?
The consequence of messages sent to your domain (for example, whether messages are rejected, rerouted, whitelisted, or quarantined) is determined by how Gmail custom settings are configured for your domain. These settings can sometimes override Gmail's spam filter, which determines whether a message is marked as clean or spam.
The Custom settings panel enables you to quickly view how many messages in your domain were affected by a disagreement between your spam filters and custom Gmail settings:
- All—Number of messages whose consequence was determined by your Gmail configuration
- Disagree—Number of messages where your domain's Gmail configuration and Gmail's spam filter disagree on the consequence
To view the Custom settings report, click View Report. For details about the report, see Custom settings report.
How often are DLP rules violated in relation to severity?
You can use data loss prevention (DLP) rules to control what sensitive information users can share.
From the DLP incidents panel, you can monitor the number of DLP incidents during the specified date range. Incidents are organized into 3 levels of severity—high, medium, and low. The total number of incidents by severity is displayed under the chart.
To see more information about DLP incidents in your organization, click View Report. For details about the report, see DLP incidents report.
What are the top policies causing the highest number of incidents?
From the Top policy incidents panel, you can monitor the top policies causing the highest number of incidents during a specified date range.
From the chart, you can see the number of incidents for each policy organized by service (for example, Google Drive). Incidents are ranked by the highest number of policy incidents during a specified date range. At the bottom of the chart, you see the total number of incidents for the top policies for Drive.
To see more information about top policy incidents in your organization, click View Report. For details about the report, see Top policy incidents report.
How many messages were encrypted?
You can monitor the security of your domain by viewing how many messages were encrypted with Transport Layer Security (TLS).
TLS is a protocol that encrypts and delivers mail securely for both inbound and outbound mail traffic. It helps prevent eavesdropping between mail servers. Use the Encryption panel to view statistics related to TLS and to view trends over a specific time period--for example, whether the use of TLS is increasing or decreasing:
- TLS—Messages that were sent using the Transport Layer Security (TLS) protocol
- Non-TLS—Messages that were sent without using the Transport Layer Security (TLS) protocol
To view the Encryption report, click View Report. For details about the report, see Encryption report.
What does inbound message volume look like?
The Gmail spam filter protects your domain by automatically rejecting most blatant spam and malware messages. Additionally, some Gmail advanced settings can override the spam filter and either accept or reject messages. Use the Message delivery panel to view how many messages were accepted, and how many messages were rejected for a specific time period:
- Accepted—Number of messages that were accepted into the domain because of your Gmail settings or the Gmail spam filter
- Rejected—Number of messages that were blocked from entering the domain because of your Gmail settings or the Gmail spam filter.
To view the Message delivery report, click View Report. For details about the report, see Message delivery report.
How are incoming messages being routed?
Messages can be marked as spam by the Gmail spam filter and placed in users' spam folders. Using the Spam filter - All panel, you can view how many messages were marked as spam, phishing, or malware during a specific time period.
If a message is considered suspicious but also has positive qualities (for example, if the message's sender is whitelisted) then the message may be placed in a user's inbox. Incoming messages are placed in one of these two destinations:
- Spam folder—Number of messages that are confirmed to be spam, phishing, or malware that are placed in the user’s spam folder.
- Inbox—Number of messages that are marked as clean, or that are considered suspicious but also have positive qualities, that are placed in the user’s inbox.
Note: Third-party inbound mail filtering systems can sometimes affect Spam results and therefore affect the data in the Spam filter - All panel. Additionally, some Gmail custom settings can override the spam filter and either accept or reject messages.
To view the Spam filter report, click View Report in the Spam filter - All panel. For details about the report, see Spam filter report.
How are potential phishing emails being routed?
Messages can be marked as phishing by the Gmail spam filter and placed in users' spam folders. Using the Spam filter - Phishing panel, you can view how many messages were marked as phishing during a specific time period.
If a message is considered suspicious but also has positive qualities—for example, if the message's sender is whitelisted—then the message may be placed in a user's inbox. Incoming messages identified as possible phishing threats are placed in one of these two destinations:
- Spam folder—Number of messages that are confirmed to be phishing that are placed in the user’s spam folder.
- Inbox—Number of messages that are marked as clean, or that are considered suspicious but also have positive qualities, that are placed in the user’s inbox.
Note: Third-party inbound mail filtering systems can sometimes affect Spam results and therefore affect the data in the Spam filter - Phishing panel. Additionally, some Gmail custom settings can override the spam filter and either accept or reject messages.
To view the Spam filter report, click View Report in the Spam filter - Phishing panel. For details about the report, see Spam filter report.
When were messages marked as malware?
Messages can be marked as malware by the Gmail spam filter and placed in users' spam folders. Using the Spam filter - Malware panel, you can view how many messages were identified as malware during a specific time period.
Incoming messages can be identified as malware either before or after they are delivered to a user’s inbox:
- Pre-delivery—Messages with attachments confirmed to be malware before they are delivered are placed in the user’s spam folder, with the attachments disabled.
- Post-delivery—Messages with attachments that pass initial malware checks are placed in the user’s inbox, but may be identified as malware after the fact by longer-running malware scans. Attachments are disabled once they are classified as malware.
To view the Spam filter report, click View Report in the Spam filter - Malware panel. For details about the report, see Spam filter report.
How are users marking their emails?
Email users can report messages in their inboxes as spam, not spam, or phishing. In Gmail, this action trains the system to identify similar messages as spam, not spam, or phishing in the future. From the User reports panel on the Overview page, you quickly view these statistics for a specific time period:
- Not spam—Number of messages marked as Not spam
- Spam—Number of messages marked as Spam
- Phishing—Number of messages marked as Phishing
To view the User reports report, click View Report. For details about the report, see User reports report.
How many times were there failed password attempts on devices?
Only Android mobile devices under advanced management are included in this report.
A failed password attempt is defined as 6 consecutive unsuccessful password attempts made from a device, with each subsequent unsuccessful attempt counting as an additional failed attempt.
For example, 6 consecutive failed attempts would count as 1 failed attempt, 7 consecutive failed attempts would count as 2, 8 consecutive failed attempts would count as 3, and so on.
From the Failed device password attempts panel, you can view the number of failed attempts over time.
To view the Failed device password attempts report, click View Report. This enables you to view more details about these events, including the device IDs and the device owners. For details about the report, see Failed device password attempts.
What compromised device events have been detected?
Only Android and iOS mobile devices under advanced management are included in this report.
A device may be counted as compromised if certain unusual events are detected:
- Android devices—An Android device is counted as compromised if the device has been rooted. If a device is rooted, users might be able to modify the software code on the device, or install software that's normally not allowed by the manufacturer.
- iOS devices—An iOS device is counted as compromised if the device has been jailbroken. A jailbreak might enable the installation of unofficial apps, the modification of previously restricted settings, or the bypassing of security controls.
From the Compromised device events panel, you can view the number of compromised device events during the time range that you set on the security dashboard.
To view the Compromised device events report, click View Report. This enables you to view more details about these events, including the device IDs and the device owners. For details about the report, see Compromised device events.
What suspicious device activities have been detected?
Only Android mobile devices under advanced management are included in this report.
If a device property is updated on a mobile device, this change is counted as a suspicious activity. Device properties include the serial number, the device model, the name of operating system, and more.
From the Suspicious device activities panel, you can view the number of suspicious device activities during the time range that you set on the security dashboard.
To view the Suspicious device activities report, click View Report. For details about the report, see Suspicious device activities.
What do OAuth scope grants look like by product?
You can use OAuth scopes to allow apps to request well-defined, limited access to certain user data. By specifying OAuth scopes, an app lets the user know what permissions or access it needs. Access is provided to the app if the user permits it.
From the panel, you can see the number of OAuth scope grants over time for:
- Gmail
- Drive
- Calendar
- Google Workspace Admin
- Contacts
- Cloud Identity
- All other products (such as Google+ and Google Chat)
To see more, click View Report. For details on the report, see OAuth scope grants by product.
Which apps have had the highest change in OAuth grant activity?
OAuth (Open Authorization) is an open standard that grants permission to third-party services to access a user's account information without exposing the user's password.
From the OAuth grant activity panel, you can monitor the OAuth grant activity in your organization.
Apps in the OAuth grant activity panel are ranked by the highest OAuth grant activity change during a specified time period. This chart compares the time period that you specify on the dashboard against the previous time period of the same duration.
The chart displays the following:
- App name
- Number of OAuth grants since the last time period
- Percentage change (increase or decrease) since the last time period
To view more details about OAuth grant activity, click View Report. For details about the report, see OAuth grant activity report.
Which new apps have been granted OAuth tokens?
From the OAuth grants to new apps panel, you can monitor which new apps have been granted OAuth tokens.
This chart compares the time period that you specify on the dashboard against the previous time period of the same duration.
The chart displays the following:
- App name
- Number of OAuth grants
To view more details about OAuth grants to new apps, click View Report. For details about the report, see OAuth grants to new apps report.
Which messages contain suspicious attachments?
From this panel, you can view the number of messages with suspicious attachments.
To view the Suspicious attachments report, click View Report. For details about the report, see Suspicious attachments report.
Which messages show evidence of potential spoofing?
From the Spoofing panel, you can view the number of messages showing evidence of potential spoofing. Messages showing evidence of potential spoofing may contain phishing attempts.
To view the Spoofing report, click View Report. For details about the report, see Spoofing report.
Which messages contain suspicious attachments?
From this panel, you can view the number of messages with suspicious attachments.
To view the Suspicious attachments report, click View Report. For details about the report, see Suspicious attachments report.
Which messages show evidence of potential spoofing?
From the Spoofing panel, you can view the number of messages showing evidence of potential spoofing. Messages showing evidence of potential spoofing may contain phishing attempts.
To view the Spoofing report, click View Report. For details about the report, see Spoofing report.
What login challenge methods have been used?
There are various login challenge methods available that may be in use across your user base. In this chart, the login challenge methods are displayed by percentage of use in your domain.
Enforcing a 2-Step Verification (2SV) login challenge (also known as two-factor authentication) adds an extra layer of security to user accounts. Users with 2SV enforced will need to sign in with something they know (a password) and something they have (a code sent to their phone, for example).
To view the User login attempts report, click View Report. For details about the report, see User login attempts report.
How many times were there failed user login attempts?
If a user attempts to log in to their account and is unsuccessful, it is counted as a failure. This chart helps you identify any spikes or suspicious changes in the amount of failed logins for your domain.
To view the User login attempts report, click View Report. For details about the report, see User login attempts report.
How many times were there suspicious user login attempts?
A login attempt is considered suspicious if it had unusual characteristics—for example if the user logged in from an unfamiliar IP address.
To view the User login attempts report, click View Report. For details about the report, see User login attempts report.
How many Chrome threat activities happened?
This chart provides an overview of threat categories and related activities. Threat categories include malware transfer, unsafe site visit, and password reuse. For each category, there are 4 possible results: attempts, prevented, bypassed, and devices bypassed.
To view the Chrome threat summary report, click View Report. For details about the report, see Chrome threat protection summary report.
How many Chrome incidents for each data protection rule?
This chart provides an overview of the number of Chrome-related incidents for the top data protection rules.
To view the Chrome data protection summary report, click View Report. For details about the report, see Chrome data protection summary report.
Which Chrome users have encountered the most threats?
This chart provides an overview of users who have encountered the highest number of unsafe Chrome-related events. Users are ranked by the number of unsafe attempts from all threat categories.
To view the Chrome high risk users report, click View Report. For details about the report, see Chrome high risk users report.
Which domains are the most risky for your Chrome users?
This chart provides an overview of the domains that are most risky for the organization, ranked by the number of unsafe attempts.
To view the Chrome high risk domains report, click View Report. For details about the report, see Chrome high risk domains report.
How many files were client-side encrypted?
This chart provides an overview of the number files in Drive that were encrypted with client-side encryption over time, by file type:
- Docs—documents
- Sheets—spreadsheets
- Slides—presentations
- Other—Microsoft Office files, PDFs, and more
To view data for specific file types, check or uncheck the boxes below the chart.
To see more information about files encrypted with CSE, and export data, click View Report. For details about the report, see Client-side encryption and decryption reports.
How many client-side encrypted files were downloaded and decrypted?
This chart provides an overview of the number of client-side encrypted files in Drive that users downloaded and decrypted over time, by file type:
- Docs—documents
- Sheets—spreadsheets
- Slides—presentations
- Other—Microsoft Office files, PDFs, and more
To view data for specific file types, check or uncheck the boxes below the chart.
To see more information about decrypted files, and export data, click View Report. For details about the report, see Client-side encryption and decryption reports.
