Monitoring Cloud Login Behaviour

With all the publicity about breaches of servers containing Government Personnel data, it is a good time to consider how well you understand access to your Google cloud environment.

Servers on your LANs that have been breached, no matter what the path, will leave a packet trail that you can follow up to a suspicious device. There is no guarantee that that device is the end-point, but at least you have the start of the path that law enforcement can then follow.

In the Google cloud, how do you identify such suspicious activity? Google is getting better at identifying and alerting users to suspicious activity, but good hackers will be well aware of the alarms Google set, so how do you as an Admin get the big picture and bring human intuition to bear on the collective pool of data?

One tool GAT provides is ‘User Logins’.

select 'user logins'

Clicking on this audit area lets you analyze the login behavior on your Google Domain by several metrics, source, volume, success, failures, etc.

see login behavior on your Google Domain by several metrics, source, volume, success, failures, etc.

The screenshot above is from ‘Events tab’ and will give the big picture view of worldwide accesses to your domain. Are there logins from unexpected locations?

Clicking on the map marker shows the Email address, and all related information to this account such as IP Address, City, Country, Event and Date.

Clicking on the map marker shows the Email address, and all related information to this account such as IP Address, City, Country, Event and Date.

Users Logins can also be checked by clicking on the “Apply custom filter” button.
Where an admin can narrow down the search and extract more detailed information regarding an event.

Users Logins can also be checked by clicking on the “Apply custom filter” button.

For example, an Admin can search for all events with status “Invalid Password” this will bring all results and it will be displayed on the map where this actually happen and generate a report for this.
It shows Login Event Locations and Login IP Locations.

What else should you look for? search by ‘OK’ logins and look for the ratio of different users to successful logins. If you see something like 10 logins from a single IP address and 5 different users, then that is either a new office you opened yesterday or very strange behavior – if it is not a new office then check out that address and those accounts in more detail.

The second-way GAT attempts to watch your back is via the Alarms section (Select ‘Alarms’ on the home page).

select 'alarms'

While these are no substitute for the human intelligence an Admin brings to bear by knowing their own data, they can help watch your back in some areas. To configure an alarm click on the plus icon/button.


To configure an alarm click on the plus icon/button.
See alarm details
change alarm settings as needed

Based on our experience the alarm ‘Alert on new IP addresses with negative logins’ is the most useful because it flags someone taking a ‘potshot’ at one of your domain accounts. We only alarm you if we have never seen a successful login from that address before – this eliminates a lot of false positives.

How to Find the Space Used on Google Drive

In this post, you will learn how to find used space on your Google Drive.

Using GAT, enter the User Audit, then select “Quota” from the top bar.

Select 'Users'

It will display Quota available for all the users in your domain

It will display Quota available for all the users in your domain

It shows all the users and their Google account usage.

    • Quota available for individual users
    • Quota used out of the availability
    • Quota used for Drive only
    • Quota used for GMail only
  • Quota used for Photos only

Remember you can use “Apply custom filter” to narrow the search down to find individual users, groups, organizational units and so on. Reports can also be generated based on the usage by individual users/groups.

Ways for GAT to Search for Two or More Users at Once

Examples of the different types of searches GAT can perform. Learn to get more out of GAT.

The Regular Expression Method

Select 'users'

select filter


Using Drive method

Click on 'drive'

Select filter

Note in this last example, you are searching for the more generic match of all docs in the accounts of the ‘Users’ in the group rather than the docs owned by ‘Owners’ (this wider search includes public documents which the ‘Users’ in the group may have viewed).

Measuring user engagement over the last 90 days

We can measure user engagement over the last 90 days (by counting Google Docs created in that time frame).


In Drive audit, click on the ‘Apply custom filter’ button.

apply the custom filter

In the Drive Files filters popup, perform the following actions, click on ‘Add group’, in this group select the following search parameters.

  • Type equal Document
  • Type equal Word

Note: This group is OR’d.

Outside of the group add an additional rule.

  • Created After or equal dd/mm/yyyy (look back 3 months)

Filters for Drive files

And then apply the filter.


When the results appear in the Drive result table, click on the ‘Export data’ button and select ‘Export to Google Sheet’

‘Export to Google Sheet’

A message will appear when the export is ready.

Data exported to your google drive

The spreadsheet will contain a lot more columns of data.

Google Drive Use Productivity Measured

select users

In the new Drive UI, under Users audit, we have added a tab called Drive Productivity.
Once it is selected it shows the Drive Productivity for each individual user in the domain.
It shows all files owned by the user, the number of Public, Public with a link, Shared out, Internal, Private, G Suite docs, spreadsheets and presentations created/updated last week.
All this information is available just by selecting Drive productivity tab.  
The user can apply different filters on the top and gather different information and even schedule a report on the activities of the users for a certain period of time.
For example, you can schedule report for all users who created G Suite docs greater than 100 and generate a report every weekend.

Users Drive Filters

The general purpose of scheduling reports is to show user engagement with overall Google Drive environment.

How to Track Visitors and Editors with GAT

Even before Google made the API for reporting visitors available, GAT had figured out a way of reporting visitors to documents on your domain. This technology means that even today we are the only audit tool to report internal visitors to external documents. (Answering important questions like who was looking at that banned picture!)

As always some of the best feature suggestions come from the needs of our Admin users. To meet the request for scheduled ‘visit and edit’ reporting we have added two new buttons to the Drive Audit page on GAT, both of which considerably expand on the reporting of visitors and editors to any given selection of documents.

The first use case is simple, select any file, folder (remember to click on the -> after the folder name to see the contents), owner, user, group, OU, etc. to get the selection of files you want. Then click ‘Export Visits to Spreadsheet’ and you will see every visitor and time of visit to every document in the selected collection, output to a Google Spreadsheet.

The second use case (and second button) require a little more thought. The purpose behind this is to allow a daily report to a manager or managers, of visits or edits to selected documents. Clearly well used shared documents can build up hundreds or even thousands of visits, so it is pointless to report all of those day on day. To solve this problem we report all visits to the selected documents for the first scheduled run (a catch up if you will) then we report only the new visits for each subsequent run of the audit. This allows a manager to see at a glance who has visited or edited a document in the previous period. Reports can be CSV or PDF (and of course are automatically stored for future reference).

It is important to carefully consider the selection criteria. For example, they can be documents based on a search for ‘private and confidential’ as part of the contents (See example No. 2 here for how to structure this selection), or they can be all the files in a folder.

You can also, of course, keep track of all documents owned by a ‘User’ or used by a Group, etc. In fact any of the huge number of selections that GAT allows you to form a sharply focused group of files for you to report on.

It is important to distinguish between the role of ‘owner’ and ‘user’ if you wish to track the actions of an individual. For example, if you put a scheduled job in place to track all the files ‘owned’ by John, what you will see are John’s visits (and others) to John’s files only. If the job is to tracks visits to all files ‘used’ by John, then you will see his visits to all files, including ones he does not own. The report will also show other visitors to those files.

Example of the scheduled report tracking documents in a folder setup below

Admins can set this up to offer selected managers greater oversight of important document activity.

Google User Folder Structure Displayed in GAT+

GAT+ displays the User folder structure for each user on your domain 

In the ‘Users’ audit section, as you hover over each user, a new icon will appear beside the folder count.

Clicking on the folder icon will display the folder tree beneath the user’s photo or email.

Each folder name has a file count and a quota usage count for the folder itself.

Selecting any folder name and clicking on it will show you the exact file type breakdown of that folder.

You can click the > marker before the folder to expand or contract the folder to the next level.

GAT Removes Your Pain Points


1) “What files on my google domain can everyone on the internet find or see?”

files in your Google domain

In the GAT+ Drive Audit one click on the number ‘Open to full public view’ shows you all the public files on your domain Drive. (Or you can see those that are available to all with the link or ‘Published’ like a web page, both reports just a click away also.)


2) “We have files that are shared to lots of other domains, how can I see which ones?”

Within the Drive Audit and with the press of one button ‘Domain Connections’, we draw a map of your entire set of Drive shares into and out of your domain.


3) “I need to see a list of all the external people that have explicit access to files on your Domain drive?”

In the Drive Audit, one press of the button ‘External Users’ will produce a table that you can sort by the desired column.



4) Need to find and remove an email in a hurry? (even from hundreds of accounts!)

In the Email Audit using the ‘Domain Gmail Search’ you can do a live search of every folder in every account on your domain for an email containing text in any location (subject, body, attachment) or any other identifier and have a list of those emails found.

Using ‘View Email Contents’ (with the ‘Unlock’ feature enabled) you can now view, download or remove these emails in bulk for one or all accounts.

5) Need to see the top sender or receiver of emails?

Just a press of the ‘Sender/Receiver Table’ button will tabulate the top senders and receivers of email for your domain or for whatever search you used to narrow the data.

6) Need to delegate access to another user’s email account?

In the Email Audit select the Email Delegation button and fill in the two account address – job done!

7) Need to get a daily/weekly/monthly report of emails per user, sent and received?

On the GAT+ homepage select ‘Scheduled Reports’ and from there choose ‘Daily User Email Stats’

Once you select this scheduled report type (from a long list of other choices), you can then choose the exact mail report you want.



8) Need to save on license costs then you need to know which accounts were not used in the last 6 months.

On the GAT+ home page, select ‘Users Audit’ and select ‘Last Login’ between a date range in the last 6 months, then ‘Search Users’.

When the results come back press ‘Negate Filter’ and find every account which did not log in in the last 6 months. You can then export this account list to a spreadsheet and clean up the accounts.


9) Need to easily bulk add or remove users or simply add/remove/change them between groups and OUs?

In the new GAT+ UI, select the Users report. Filter for the set of users you are interested in working with. Export that selection of users, change the spreadsheet as described here. You can add the users to one or more groups or change their group mix completely. When finished with the changes, just import the spreadsheet to perform all the changes at once.

10) Need to be warned when some critical event has happened on your domain?

Simply select ‘Alarms’ on the GAT home page and configure for the alerts you need. Alarms can be configured and saved on a per OU basis.


Measuring Adoption of G Suite by Staff in Your Organisation

2 methods – 2 aspects to consider

Collaboration growth among those already using Google extensively

A common problem management face after installing G Suite is to try and understand how quickly staff are adopting it as a way of collaborating.

There are many ways to measure user adoption in G Suite. GAT offers a collaboration index

Collaboration measurement to be found in GAT Statistics report

The Collaboration Index is based on a formula that utilises a lot of GAT’s knowledge about how your Google environment is working, including factors like the number of users you have, the length of time using G Suite, the number of shares, the number of visitors, etc.  These are combined to give a standardised result no matter how many users you have or how long you are using Google as a production platform.  Every organization should see this figure growing at least for the first few years of G Suite adoption.

There is also the more blunt figure of internal share instances – you can look at this as a proportion of your overall doc count.

However, one important thing to remember is both of these figures are on the ‘Google side’. They are measuring the ‘converted’. While growth is good, it not necessarily a measure of conversion inside the organization as a whole. What we want to measure is migration from the ‘dark side’, i.e. from the traditional way of doing things (emailing attachments) to the new way (document sharing).

Collaboration growth among those moving away from the old email-based methods

On a recent visit to a very large financial institution, they had an excellent idea of how we could use GAT to measure movement from the old way of doing things to the ‘Google way’ and it was quite simple.

We would look at each month and count the number of internal file shares using Google Share, we could then look at each month and look at the number of internal emails sent with attachments and see how that ratio progressed over time.

Here’s how to do it …

(GAT+Email required – you can install from here)

First, we look in the Docs Audit and with 3 clicks we can calculate the number of files created and shared internally in say June. In this case 88.

Screenshot from GAT Docs Audit

We then go into the email audit and calculate the number of files sent as internal email attachments in the same month (again in 3 clicks).  In this case it was 113.

Screenshot from GAT email Audit

So even though we eat Google for breakfast and love everything they do, we still have some staff who find the old ways hard to let go.  In June more files are shared as email attachments than as Google shares (88/113).

The good news is it was 71/125 in March, so at least we are improving!

How is your organisation progressing? Is Google winning the staff over?

You can use GAT to perform the same test on organizational units or even groups within your domain. Then do comparisons between the different OU’s or groups to see where G Suite is taking hold or where you need to do more training.

This and other useful tips like it can be found in our Google+ community here

(Full acknowledgement for this index idea is given to a financial institution who for confidentiality reasons remain anonymous.)


The weekly GAT activity report now gives you the internal sharing and internal attachment count for each week.


It is a simple procedure to take these two figures from the respective sections of the report and divide them to find the on-going ratio for your domain.

(Share this on if you find it useful.)

Get more G Suite User Audit detail in GAT

expand User audit

While it is essential to have a global audit for Drive, Emails, G+, etc giving you the big picture view for audits in those areas, GAT also recognizes that you need to see the Organizational, Group or User view. The extended ‘Users’ audit now gives you the ability to filter by user status and then see a whole range of important characteristics associated with the selected user(s).

Picking any user, you can see for example their total quota and how much is used, how much by docs and how much by email.

We currently show details in 9 different user usage areas and we are adding data all the time. Each tab is self-explanatory, with the exception of Collaboration index. For this figure, we review completed internal collaboration actions in the previous 7 days. These cover emails replied to (sender and receiver both receive a score), internal shared files read or edited (owner and reader/editor both receive a score) and internal calendar appointments (each internal participant receives a score). The combined figure starts to give a rough measure of internal engagement by each user over the last 7 days.