A script to analyze geographic GSuite Login activity
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
.gitattributes
.gitignore
LICENSE
README.md
geoip.py
requirements.txt
sample_AuditReport.csv
sample_map.html

README.md

gsuite-login-geoip

About

A recent engagement required me to analyze geographic login activity for a GSuite domain. While Google makes several reports available on the Admin dashboard, there was not one that provided thorough geographic detail. I made a thing that would take the default Login Activity Report, enhance it to include GeoIP data and plot all of the data points on an interactive map.

Here's an interactive sample map containing fake data.

Marker color, opacity and size help emphasize noteworthy events. These values and their corresponding "keyword" triggers are defined in geoip.py https://github.com/ecapuano/gsuite-login-geoip/blob/master/geoip.py#L92-L111

Geographic data can sometimes make quick work of detecting anomalous or malicious login activity. The image below is a real world example of this concept -- the overseas markers were connected to unauthorized access to a compromised account.

Prerequisites

Usage

  1. Export a Login Activity report from https://admin.google.com/AdminHome?fral=1#Reports:subtab=login-audit

  2. python geoip.py /path/to/AuditReport.csv /path/to/GeoLiteCity.dat