A recent engagement required me to analyze geographic login activity for a GSuite domain. While Google makes several reports available on the Admin dashboard, there was not one that provided thorough geographic detail. I made a thing that would take the default Login Activity Report, enhance it to include GeoIP data and plot all of the data points on an interactive map.
Here's an interactive sample map containing fake data.
Marker color, opacity and size help emphasize noteworthy events. These values and their corresponding "keyword" triggers are defined in
Geographic data can sometimes make quick work of detecting anomalous or malicious login activity. The image below is a real world example of this concept -- the overseas markers were connected to unauthorized access to a compromised account.
requirements.txtfor Python modules
- Download and unpack
Export a Login Activity report from https://admin.google.com/AdminHome?fral=1#Reports:subtab=login-audit
python geoip.py /path/to/AuditReport.csv /path/to/GeoLiteCity.dat