Supported editions for this feature: Frontline Standard; Enterprise Standard and Enterprise Plus; Education Standard and Education Plus; Enterprise Essentials Plus. Compare your edition
This feature is available with Cloud Identity Premium edition. Compare editions
As an administrator, you can use the security dashboard to see an overview of different security reports. By default, each security report panel displays data from the last month. You can customize the dashboard to view data from Today, Yesterday, This week, Last week, This month, Last month, or Days ago (up to 180 days).
Note: The availability of each individual report on the security dashboard depends on your Google Workspace edition. Therefore, you may not have access to all of reports described below.
View and use the dashboard
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
-
In the Admin console, go to Menu
Security
Security center
- To view more details about any of the reports, click View Report in the bottom-right corner of any panel.
For details about data retention and availability, see Data retention and lag times for the security dashboard.
Available reports with Cloud Identity
The follow reports are available when viewing the Security dashboard with your Cloud Identity account:
See also available reports with Google Workspace.
View trends
You can use the dashboard to quickly view trends—for example, to see at a glance whether external file sharing has increased or decreased during a specific time period.
Each panel on the dashboard displays the percentage change over time of the data. For example, if the date range on the dashboard is set to the last 10 days and the number of authenticated messages has increased by 25% in the last 10 days, under Authenticated, you’ll see +25%. (Sometimes this percentage is not displayed due to insufficient data.)
Compare current and historical data
To compare the current data to historical data, in the top right, from the Statistical analysis menu, select Percentile (not available for all Security dashboard charts). You’ll see an overlay on the chart to show the 10th, 50th, and 90th percentile of historical data (180 days for most data and 30 days for Gmail data). Then, to change the analysis, at the top right of the chart, use the menu to change the overlay line.
Data retention and lag times for the security dashboard
Data retention
Depending on the security report type, data is retained for 30 or 180 days.
These reports have data from the last 30 days:
- Suspicious attachments
- Authentication
- Custom settings
- Encryption
- Message delivery
- Spam filter
- Spoofing
- User reports
These reports have data from the last 180 days:
- Compromised device events
- File exposure
- Failed device password attempts
- OAuth scope grants by product
- OAuth grant activity
- OAuth grants to new apps
- Suspicious device activities
- User login attempts
- Chrome threat summary
- Chrome data protection
- Chrome high risk users
- Chrome high risk domains
- Client-side encryption
- Client-side decryption
Lag times
It takes time before data is available for the various dashboard reports. For each of the predefined dashboard reports, lag times are approximately 4 hours. For custom reports, lag times are less than 1 hour.
How many times were there failed password attempts on devices?
Only Android mobile devices under advanced management are included in this report.
A failed password attempt is defined as 6 consecutive unsuccessful password attempts made from a device, with each subsequent unsuccessful attempt counting as an additional failed attempt.
For example, 6 consecutive failed attempts would count as 1 failed attempt, 7 consecutive failed attempts would count as 2, 8 consecutive failed attempts would count as 3, and so on.
From the Failed device password attempts panel, you can view the number of failed attempts over time.
To view the Failed device password attempts report, click View Report. This enables you to view more details about these events, including the device IDs and the device owners. For details about the report, see Failed device password attempts.
What compromised device events have been detected?
Only Android and iOS mobile devices under advanced management are included in this report.
A device may be counted as compromised if certain unusual events are detected:
- Android devices—An Android device is counted as compromised if the device has been rooted. If a device is rooted, users might be able to modify the software code on the device, or install software that's normally not allowed by the manufacturer.
- iOS devices—An iOS device is counted as compromised if the device has been jailbroken. A jailbreak might enable the installation of unofficial apps, the modification of previously restricted settings, or the bypassing of security controls.
From the Compromised device events panel, you can view the number of compromised device events during the time range that you set on the security dashboard.
To view the Compromised device events report, click View Report. This enables you to view more details about these events, including the device IDs and the device owners. For details about the report, see Compromised device events.
What suspicious device activities have been detected?
Only Android mobile devices under advanced management are included in this report.
If a device property is updated on a mobile device, this change is counted as a suspicious activity. Device properties include the serial number, the device model, the name of operating system, and more.
From the Suspicious device activities panel, you can view the number of suspicious device activities during the time range that you set on the security dashboard.
To view the Suspicious device activities report, click View Report. For details about the report, see Suspicious device activities.
What do OAuth scope grants look like by product?
You can use OAuth scopes to allow apps to request well-defined, limited access to certain user data. By specifying OAuth scopes, an app lets the user know what permissions or access it needs. Access is provided to the app if the user permits it.
From the panel, you can see the number of OAuth scope grants over time for:
- Gmail
- Drive
- Calendar
- Google Workspace Admin
- Contacts
- Cloud Identity
- All other products (such as Google+ and Google Chat)
To see more, click View Report. For details on the report, see OAuth scope grants by product.
Which apps have had the highest change in OAuth grant activity?
OAuth (Open Authorization) is an open standard that grants permission to third-party services to access a user's account information without exposing the user's password.
From the OAuth grant activity panel, you can monitor the OAuth grant activity in your organization.
Apps in the OAuth grant activity panel are ranked by the highest OAuth grant activity change during a specified time period. This chart compares the time period that you specify on the dashboard against the previous time period of the same duration.
The chart displays the following:
- App name
- Number of OAuth grants since the last time period
- Percentage change (increase or decrease) since the last time period
To view more details about OAuth grant activity, click View Report. For details about the report, see OAuth grant activity report.
Which new apps have been granted OAuth tokens?
From the OAuth grants to new apps panel, you can monitor which new apps have been granted OAuth tokens.
This chart compares the time period that you specify on the dashboard against the previous time period of the same duration.
The chart displays the following:
- App name
- Number of OAuth grants
To view more details about OAuth grants to new apps, click View Report. For details about the report, see OAuth grants to new apps report.
Which messages contain suspicious attachments?
From this panel, you can view the number of messages with suspicious attachments.
To view the Suspicious attachments report, click View Report. For details about the report, see Suspicious attachments report.
Which messages show evidence of potential spoofing?
From the Spoofing panel, you can view the number of messages showing evidence of potential spoofing. Messages showing evidence of potential spoofing may contain phishing attempts.
To view the Spoofing report, click View Report. For details about the report, see Spoofing report.
What login challenge methods have been used?
There are various login challenge methods available that may be in use across your user base. In this chart, the login challenge methods are displayed by percentage of use in your domain.
Enforcing a 2-Step Verification (2SV) login challenge (also known as two-factor authentication) adds an extra layer of security to user accounts. Users with 2SV enforced will need to sign in with something they know (a password) and something they have (a code sent to their phone, for example).
To view the User login attempts report, click View Report. For details about the report, see User login attempts report.
How many times were there failed user login attempts?
If a user attempts to log in to their account and is unsuccessful, it is counted as a failure. This chart helps you identify any spikes or suspicious changes in the amount of failed logins for your domain.
To view the User login attempts report, click View Report. For details about the report, see User login attempts report.
How many times were there suspicious user login attempts?
A login attempt is considered suspicious if it had unusual characteristics—for example if the user logged in from an unfamiliar IP address.
To view the User login attempts report, click View Report. For details about the report, see User login attempts report.
How many Chrome threat activities happened?
This chart provides an overview of threat categories and related activities. Threat categories include malware transfer, unsafe site visit, and password reuse. For each category, there are 4 possible results: attempts, prevented, bypassed, and devices bypassed.
To view the Chrome threat summary report, click View Report. For details about the report, see Chrome threat protection summary report.
How many Chrome incidents for each data protection rule?
This chart provides an overview of the number of Chrome-related incidents for the top data protection rules.
To view the Chrome data protection summary report, click View Report. For details about the report, see Chrome data protection summary report.
Which Chrome users have encountered the most threats?
This chart provides an overview of users who have encountered the highest number of unsafe Chrome-related events. Users are ranked by the number of unsafe attempts from all threat categories.
To view the Chrome high risk users report, click View Report. For details about the report, see Chrome high risk users report.
Which domains are the most risky for your Chrome users?
This chart provides an overview of the domains that are most risky for the organization, ranked by the number of unsafe attempts.
To view the Chrome high risk domains report, click View Report. For details about the report, see Chrome high risk domains report.
How many files were client-side encrypted?
This chart provides an overview of the number files in Drive that were encrypted with client-side encryption over time, by file type:
- Docs—documents
- Sheets—spreadsheets
- Slides—presentations
- Other—Microsoft Office files, PDFs, and more
To view data for specific file types, check or uncheck the boxes below the chart.
To see more information about files encrypted with CSE, and export data, click View Report. For details about the report, see Client-side encryption and decryption reports.
How many client-side encrypted files were downloaded and decrypted?
This chart provides an overview of the number of client-side encrypted files in Drive that users downloaded and decrypted over time, by file type:
- Docs—documents
- Sheets—spreadsheets
- Slides—presentations
- Other—Microsoft Office files, PDFs, and more
To view data for specific file types, check or uncheck the boxes below the chart.
To see more information about decrypted files, and export data, click View Report. For details about the report, see Client-side encryption and decryption reports.