Supported editions for this feature: Frontline Standard; Enterprise Standard and Enterprise Plus; Education Standard and Education Plus; Enterprise Essentials Plus. Compare your edition
You can use the user login attempts report to identify spikes in the amount of failed and suspicious logins in your domain. You can also view statistics about the challenge methods that have been used.
This chart enables you to identify and investigate attempts to hijack user accounts in your organization.
View the user login attempts report
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
-
In the Admin console, go to Menu SecuritySecurity centerDashboard.
- In the bottom-right corner of the User login attempts panel, click View Report.
User login attempts graph
This graph displays the number of user login attempts over time. Using the drop-down menus above the graph, you can customize the graph:
Filter | Description |
---|---|
Login outcome: All, Failed, Successful, Suspicious |
All—Include all login attempts. Note:
|
Domain | Choose the domain for your report. |
Date range |
Customize the report to view data from Today, Yesterday, This week, Last week, This month, Last month, or Days ago (up to 180 days); or enter a Start date and End date. Click Apply after you set the date range. |
To generate a spreadsheet with the graph’s data, click Export Sheet A spreadsheet corresponding to the data in the graph will be generated and saved to your My Drive folder.
Compare current and historical data
To compare the current data to historical data, in the top right, from the Statistical analysis menu, select Percentile (not available for all Security dashboard charts). You’ll see an overlay on the chart to show the 10th, 50th, and 90th percentile of historical data (180 days for most data and 30 days for Gmail data). Then, to change the analysis, at the top right of the chart, use the menu to change the overlay line.
User login attempts table
To view more details about user login attempts on specific dates, click any data point in the graph.
The table at the bottom of the page displays three different tabs: USERS, LOGIN TYPE, and CHALLENGE TYPE. Different data is displayed in each tab, depending on the type of chart at the top of the page.
Failed logins
- USERS—Lists the users and the total number of failed logins that were associated with each user during the chosen timeframe.
- LOGIN TYPE—Lists the login types and the total number of failed logins that were associated with each login type during the chosen timeframe. Examples of login types are SAML, Exchange, and Re-auth.
- CHALLENGE TYPE—Lists the challenge types and the total number of failed logins that were associated with each challenge type in the chosen timeframe. Examples of challenge types are Google prompt, Password, Offline OTP, Login location, and Security key.
Suspicious logins
- USERS—Lists the users and the total number of suspicious logins that were associated with each user during the chosen timeframe.
- LOGIN TYPE—Lists the login types and the total number of suspicious logins that were associated with each login type during the chosen timeframe. Examples of login types are SAML, Exchange, and Re-auth.
- CHALLENGE TYPE—Lists the challenge types and the total number of suspicious logins that were associated with each challenge type in the chosen timeframe. Examples of challenge types are Google prompt, Password, Offline OTP, Login location, and Security key.
Successful logins
- USERS—Lists the users and the total number of successful logins that were associated with each user during the chosen timeframe.
- LOGIN TYPE—Lists the login types and the total number of successful logins that were associated with each login type during the chosen timeframe. Examples of login types are SAML, Exchange, and Re-auth.
- CHALLENGE TYPE—Lists the challenge types and the total number of successful logins that were associated with each challenge type in the chosen timeframe. Examples of challenge types are Google prompt, Password, Offline OTP, Login location, and Security key.