As your organization's administrator, you can monitor your users' exposure to data compromise by opening a security report. Under User Reports, the Security report provides a comprehensive view of how people share and access data and whether they take appropriate security precautions. For example, you can review who installs external apps, shares numerous files, skips 2-Step Verification, and uses security keys.
Step 1: Open the security report
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
-
In the Admin console, go to Menu
Reporting
User Reports
Step 2: Review the data
The Security report is based on the following user data.
Note: Depending on your Google Workspace edition, you might not have access to some of the activity reports.
Expand section | Collapse all & go to top
General| Report column | Description |
|---|---|
| External apps |
Number of third-party applications authorized to access the user's data Note: To view application names for each user and revoke the access of external apps, go to View user security settings and revoke access |
| 2-Step Verification enrollment |
Lists if a user is enrolled in 2-Step Verification. Note: This data could be delayed up to 48 hours. To view real-time 2-Step Verification status for each user, go to View user security settings and revoke access. |
| 2-Step Verification enforcement | Lists if a user is required to be enrolled in 2-Step Verification |
| Password length compliance |
Whether the user is compliant or non-compliant with password-length requirements. For instructions on setting password requirements, go to Enforce and monitor users' password requirements. Note: If 'Unknown' appears, the user's password may have been set using a hash method. See When password policies don't apply. |
| Password strength |
Whether the user has a strong or weak password based on the password requirements set by an administrator. For instructions on setting password requirements, go to Enforce and monitor users' password requirements. Note: If 'Unknown' appears, the user's password might have been set using a hash method. See When password policies don't apply. |
| User account status |
User’s account status (Active, Blocked, or Suspended)
Note: The Active user account status includes soft-deleted users. |
| Admin status | User's administrative access (Super admin, Administrator, or None) |
| Less secure apps access | Whether the user can block or allow less secure app access to their own accounts (Allowed or Denied) |
| Security keys enrolled | Total number of security keys enrolled by the users of this domain |
| Report column | Description |
|---|---|
| Gmail (POP) - last used time | Last time the user used a Post Office Protocol (POP) access Gmail |
| Gmail (IMAP) - last used time | Last time the user used Internet Message Access Protocol (IMAP) mail server access Gmail |
| Gmail (Web) - last used time | Last time the user used web-based Gmail. Note that this timestamp is not synced with the Last Login timestamp |
The new metrics definitions include “added”. This definition differs from previous metrics because it counts when “addition” events occur. Addition type events include creating a file, uploading, untrashing, or ownership transfer. This activity gets reported regardless of the final state of the item. Multiple addition events to the same file do not give a cumulative total. The report only reflects the daily change to the total.
| Report column | Description |
|---|---|
| External shares | Number of external file sharing events performed by the user |
| Internal shares | Number of internal file sharing events performed by the user |
| Public | Number of file sharing events performed by users in the domain that are made publicly available |
| Anyone with link | Number of file sharing events performed by users in the domain that are available to anyone with the link |
| Anyone in domain with link shares | Number of file sharing events performed by users in the domain that are shared with anyone in the domain with the link |
| Anyone in domain shares | Number of file sharing events performed by users in the domain that are visible to anyone in the domain |
| Outside domain | Number of file sharing events performed by users in the domain shared explicitly with individuals or groups outside the domain |
| Within domain shares | Number of file sharing events performed by users in the domain shared explicitly with a user or group in the domain |
| Private shares | Number of Drive files that are not shared at all |
Note: All the metrics for the above activities capture the daily change in number of their respective fields.
Step 3: Customize the data in the report
- Open your report as described above.
- Click Settings
.
- (Optional) To add columns to the chart, next to Add new column, click the Down arrow
and select options from the list.
- (Optional) To remove an item from the chart, next to that item, click Remove
.
- (Optional) To rearrange columns, drag and drop an item to a new position.
- Click Save.
Step 4: Filter data and export the report
Expand section | Collapse all & go to top
You can narrow your report to show users or specific events. For example, you can create a filter to find all users who are using 2-Step Verification. Or you can create a filter to list people who share numerous external links.
- Open the report as described in Step 1 above.
- At the top of the report, click Add a filter.
- Click one of the filters from the list, enter the criteria, and click Apply.
You can filter by organizational unit to compare statistics between child organizations in a domain.
- Open your report as described above.
- At the top of the report, click Organizational unit
- Click Apply.
You can only filter the current organization hierarchy, even when searching for older data. Data before December 20, 2018 will not appear in the filtered results.
You can also filter the data in your report by group. Before a group will appear in this filter, you need to add the group to your filtering groups allowlist.
For details about using group filters, see Filtering results by Google Group.
Step 1: Add a group to your filtering groups allowlist:
- Open your report as described above.
- At the top of the report, click Group filter
- Click Filtering groups.
The Filtering groups page displays. - Click Add Groups.
- Search for a group by entering the first few characters of its name or email address. When you see the group you want, select it.
- (Optional) To add another group, search for and select the group.
- When you finish selecting groups, click Add.
- (Optional) To remove a group, click Remove group
- Click Save.
Changes can take up to 24 hours but typically happen more quickly. Learn more
Step 2: Filter audit log by group
- Open your report as described above.
- At the top of the report, click Group filter
- Select one or more groups and click Apply.
You can export your report data to a Google Sheet, or download it as a CSV file.
- Open your report as described in Step 1 above.
- (Optional) Change the data to be included in your export as described in Step 3 above.
- On the report, click Download
.
- Select which columns to include and the format of the report.
- Click Download.
You can export up to 100,000 rows.
You won’t see complete data up to the present day. Instead, under the graph heading you'll see the latest date for the column data. The table under the graph shows 1-day data for the latest date.
Occasionally, you'll see an asterisk "*" next to a column name. The asterisk indicates that the data in this particular column might be stale compared to the data in other columns.
For details on when data becomes available and how long it's retained, go to Data retention and lag times.
