Google Workspace

Monitoring suspicious login attempts in Google Workspace

Monitoring user activity for suspicious behavior is an important part of keeping your Google Workspace instance secure.
Loved by leading security teams around the world.

Google Workspace, formerly known as G Suite, is a set of cloud-based productivity and collaboration tools used by businesses, schools, and organizations worldwide. In order to safeguard your organization's data, it is crucial to monitor suspicious login attempts and take appropriate measures to prevent unauthorized access. This guide provides step-by-step instructions on monitoring suspicious login attempts on Google Workspace and offers best practices to enhance your security.

Table of Contents:

  1. Enabling and Configuring Login Auditing
  2. Analyzing Login Audit Logs
  3. Setting Up Alerts for Suspicious Login Attempts
  4. Implementing Best Practices for Google Workspace Security
  5. Recovering from a Security Breach

Enabling and Configuring Login Auditing:

Before you can monitor suspicious login attempts, you need to enable login auditing in the Google Workspace Admin Console. Follow these steps:

a. Sign in to your Google Workspace Admin Console ( using your administrator credentials.
b. Navigate to 'Reports' > 'Audit log'.c. Select 'Login' from the drop-down menu.d. If you haven't enabled login auditing, click on the 'Enable Logging' button.

Once you've enabled login auditing, you can configure the data retention period for the logs. By default, Google Workspace retains logs for 180 days. You can increase or decrease this duration based on your organization's needs.

Analyzing Login Audit Logs:

Login audit logs provide valuable information about user login attempts, including successful logins, failed logins, and suspicious activities. To analyze login audit logs:

a. Go to the Google Workspace Admin Console and navigate to 'Reports' > 'Audit log'.b. Select 'Login' from the drop-down menu.c. Use the filter options to narrow down the login attempts by date, user, event, and location.d. Analyze the logs for signs of suspicious activity, such as:

  • Multiple failed login attempts
  • Logins from unfamiliar locations or IP addresses
  • Unusual login times

Setting Up Alerts for Suspicious Login Attempts:

To proactively monitor and receive notifications for suspicious login attempts, set up custom alerts in the Google Workspace Admin Console. Follow these steps:

a. Go to the Google Workspace Admin Console and navigate to 'Reports' > 'Manage alerts'.

b. Click on the '+ Add Alert' button.

c. Choose 'Login' from the 'Audit events' drop-down menu.

d. Customize the alert settings, including the alert threshold, recipients, and notification frequency.

e. Save the alert configuration.

With custom alerts, you'll receive email notifications when suspicious login events occur, allowing you to take immediate action.

Implementing Best Practices for Google Workspace Security:

To enhance the security of your Google Workspace environment, implement the following best practices:

a. Enforce strong password policies: Require users to create complex passwords and change them periodically.

b. Enable two-factor authentication (2FA): Encourage users to enable 2FA for an extra layer of security.

c. Limit access to sensitive data: Use Google Workspace's access control features to restrict access to sensitive documents and folders.

d. Educate users: Train employees on security best practices, including how to identify phishing emails and avoid falling victim to social engineering attacks.

Recovering from a Security Breach:

If you suspect that an unauthorized user has gained access to your Google Workspace account, take the following steps:

a. Reset the compromised user's password immediately.

b. Review the affected user's recent activity and revoke access to any suspicious third-party apps.

c. Investigate the source of the breach and implement additional security measures to prevent future attacks.

Connect, Protect, Defend

Streamline your approach to security posture management throughout your entire company.
Get a Free Security Assessment
By installing or using the software, you acknowledge and agree to be bound by the Terms of Service.