User login attempts report

This report is available for Beta customers of G Suite Enterprise, Drive Enterprise, and Cloud Identity Premium Edition.

You can use the user login attempts report to identify spikes in the amount of failed and suspicious logins in your domain. You can also view statistics about the challenge methods that have been used. 

This chart enables you to identify and investigate attempts to hijack user accounts in your organization.

View the user login attempts report

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. Click Security.
  3. Click Dashboard.
  4. In the bottom-right corner of the User login attempts panel, click View Report.

Note: This report includes data starting from November 6, 2018, so the report will not include a full 180 days of data until approximately May 2019.

User login attempts graph

This graph displays the number of user login attempts over time. Using the drop-down menus above the graph, you can customize the graph:

Filter Description

Login outcome: All, Failed, Successful, Suspicious

All—Include all login attempts.
Failed—Include only failed login attempts.
Successful—Include only successful login attempts.
Suspicious—Include only suspicious login attempts.

Note:

  • A login attempt is considered suspicious if it had unusual characteristics—for example if the user logged in from an unfamiliar IP address. 
  • Suspicious login attempts are also Successful.
Domain Choose the domain for your report.
Date range

Customize the report to view data from Today, Yesterday, This week, Last week, This month, Last month, or Days ago (up to 180 days); or enter a Start date and End date. Click Apply after you set the date range.

To generate a spreadsheet with the graph’s data, click Export Sheet A spreadsheet corresponding to the data in the graph will be generated and saved to your My Drive folder.

Compare current and historical data

To compare the current data to historical data, in the top right, from the Statistical analysis menu, select Percentile. You’ll see an overlay on the chart to show the 10th, 50th, and 90th percentile of historical data (180 days for most data and 30 days for Gmail data). Then, to change the analysis, at the top right of the chart, use the menu to change the overlay line.

User login attempts table

To view more details about user login attempts on specific dates, click any data point in the graph. 

The table at the bottom of the page displays three different tabs: USERS, LOGIN TYPE, and CHALLENGE TYPE. Different data is displayed in each tab, depending on the type of chart at the top of the page.

Failed logins

  • USERS—Lists the users and the total number of failed logins that were associated with each user during the chosen timeframe.
  • LOGIN TYPE—Lists the login types and the total number of failed logins that were associated with each login type during the chosen timeframe. Examples of login types are SAML, Exchange, and Re-auth.
  • CHALLENGE TYPE—Lists the challenge types and the total number of failed logins that were associated with each challenge type in the chosen timeframe. Examples of challenge types are Google prompt, Password, Offline OTP, Login location, and Security key.

Suspicious logins

  • USERS—Lists the users and the total number of suspicious logins that were associated with each user during the chosen timeframe.
  • LOGIN TYPE—Lists the login types and the total number of suspicious logins that were associated with each login type during the chosen timeframe. Examples of login types are SAML, Exchange, and Re-auth.
  • CHALLENGE TYPE—Lists the challenge types and the total number of suspicious logins that were associated with each challenge type in the chosen timeframe. Examples of challenge types are Google prompt, Password, Offline OTP, Login location, and Security key.

Successful logins

  • USERS—Lists the users and the total number of successful logins that were associated with each user during the chosen timeframe.
  • LOGIN TYPE—Lists the login types and the total number of successful logins that were associated with each login type during the chosen timeframe. Examples of login types are SAML, Exchange, and Re-auth.
  • CHALLENGE TYPE—Lists the challenge types and the total number of successful logins that were associated with each challenge type in the chosen timeframe. Examples of challenge types are Google prompt, Password, Offline OTP, Login location, and Security key.
Was this article helpful?
How can we improve it?