Identifying Unusual Login Activity

GAT provides two methods to help Admins track unusual login activity. The principal area for examining all login activity is the ‘User Log-in Reports’. 

GAT dashboard

Clicking in here will take you to an overview of all login activity, including a map of where the activity is coming from.

Looking at the map is the first major visual indicator of unusual activity – Do you see a login from a strange city? (Madrid is beautiful by the way and not ‘Strange’ at all…  🙂 )

Clicking on the map marker will show you the IP address for that login. You can then search by IP address in the search area above the map to identify all the accounts accessed or attempted to be accessed from that address.


Another powerful use of this data is to select just the ‘Failed Logins’ (click on the link in the table at the top). When just this data is returned, sort by IP address. Do you see many different accounts for the one IP address? This is a sure sign of strange behaviour. Why is every account from that address failing to log in?


If you have a lot of IP addresses, a useful tip is to select ‘Clear Filter’, select ‘View by IP’ and then sort on the column % Negative. A high percentage negative with a small number of attempts is not of great concern, but a high number of attempts, and a high % Negative calls for you to look in more detail at that ip address. (Cut and paste the address into the search box – switch back after the search to view by events.)


The second way GAT attempts to watch your back is via the Alarms section (Select ‘Alarms’ on the home page).

From here, check the box ‘Alert on new IP addresses with Negative logins’. GAT remembers all login IP addresses and if the very first attempt from a new address is a failure, this is a concern – we send you an email right away.

Finally, a very common attack on domain accounts is through dormant accounts. It is well worth setting the alert for when an idle account is suddenly used again. Be careful here though, even someone sharing a file with this account will generate an activity flag on Google, because of this it tends to be a low-grade alert.