Login Tracking and Alerting

Google recently released the API capability to track and identify all login activity over a 180 day period.

GAT is the first security product to take advantage of this new API capability and combined with some other security data, such as 2 Factor Authentication status we have now enabled a security report for users.

From the home page click on the ‘Users’, then the ‘Security’ tab to see the following selection

Security tab in GAT dashboard

2FA reporting is really important, in particular when you sort all the ‘Administrators’ to the top.

However, where any given user is trying to log in from is also important (in particular for all non-2FA accounts)

For any given user clicking on the ‘Last Login’ time will show you the login IP address and time details for that user over the last 180 days.

GAT's ‘Show the IP Address in a map’

Further, clicking on the ‘Show the IP Address in a map’ link will map the approximate login

locations.  Bear in mind these are approximate and for mobile devices often show up where the ISP or Carrier breaks out to the internet.

While the above is very useful and important, it is mainly for forensic analyses.  For day to day alerting we have prepared a ‘canned’ report that you can schedule at your convenience.

Select the ‘Scheduled Reports’ section from the Home Page.

At the bottom you will see a drop-down list of reports, starting with ‘What’s Hot Reports’, select the choice ‘Login Events’, this will create a new report for you that will report on all login events.

GAT's New Report drop down menu

After selecting ‘Login Events’, click on ‘New report’ to see the configuration options as shown below

GAT fields

You probably don’t want a daily report on every login event for every user in the entire domain, so we let you select only ‘failed or suspicious’ logins.  In the example above this is emailed to the Admin everyday after midnight.  You could also share the report with a security officer or security group if appropriate.

If you run the report daily or weekly then we can figure this out and the start date will move automatically, starting from the date the of the last login found in the previous report. This means you won’t be getting historical alerts that you have already investigated. 

You may find this post about how to get alerted every time a user disables two-factor authentication useful.