# Google Workspace Profiles

## Overview

You can configure your Google Workspace log source integration in Panther to pull user profiles into Panther-managed Enrichments. This means you can use profile data in detection logic and search queries.

You can customize user profiles in Google Workspaces by following [their documentation](https://support.google.com/a/answer/6208725?hl=en). You might consider adding custom attributes that would be useful in detection logic, such as the level of permissions expected for that user.

Learn how to [view stored enrichment data here](https://docs.panther.com/enrichment/..#viewing-and-managing-enrichments).

### Example detection use cases

You can leverage Google user profile data in your detections. See the following example use cases:

* Detect when an action is performed by a terminated employee, which can indicate that off-boarding is incomplete.
* In a detection's configuration, adjust the alert severity level based on the job title of the event actor. For example, you might use an `INFO` severity level if some action is taken by a System Administrator, but `HIGH` if taken by a user with any other role.

## How to set up Google Workspace user profiles in Panther

You can configure Google Workspace user profiles while you are initially setting up your Google Workspace log source integration in Panther, or later, by editing the source.

During either flow, you'll toggle the Google Workspace profile pulling setting on, then set the cadence at which you'd like profile data to be refreshed.

{% hint style="info" %}
In order to enable Google Workspace user profiles in Panther, you must first (or concurrently) onboard Google Workspace as a log source. It is not possible to set up an Google Workspace user profiles integration *without* onboarding Google Workspace as a log source in Panther.
{% endhint %}

### Prerequisites for Google Workspace user profiles

In order to pull Google Workspace user profiles into Panther, the following configurations must be set:

* Your Google Workspace Cloud App must have the `https://www.googleapis.com/auth/admin.directory.user.readonly` scope.
* The user who created the Google Cloud App must have read users privileges.

### Configure Google Workspace profiles in Panther during Google Workspace source setup

* Follow [these instructions on how to create a new Google Workspace source in Panther](https://docs.panther.com/data-onboarding/supported-logs/googleworkspace#step-1-create-a-new-google-workspace-source-in-panther), paying close attention to the **Enable user profiles** field.

### Configure Google Workspace profiles in Panther after Google Workspace source setup

You can set up Google Workspace profiles after you've already created a Google Workspace log source in Panther, either [from the **Enrichment Providers** tab](#configure-google-workspace-profiles-after-google-workspace-log-source-setup-from-the-enrichment-prov) or the [**Log Sources** tab](#configure-google-workspace-profiles-after-google-workspace-log-source-setup-from-the-log-sources-scr) in the Console.

{% tabs %}
{% tab title="Console: Enrichment Providers" %}
**Configure Google Workspace profiles after Google Workspace log source setup from the Enrichment Providers screen**

1. In the left-hand navigation bar of your Panther Console, click **Configure** > E**nrichment Providers**.
2. In the upper-right corner, click **Create New**.
3. Click **Google Workspace**.
4. From the popup modal listing your already created Google Workspace log sources in Panther, click the one you'd like to pull profile data from.\
   ![](https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2Fgit-blob-a82cb479bb99b252019fc6aeb049374127ce7773%2FScreenshot%202023-10-04%20at%205.06.38%20PM.png?alt=media)
   * If you have not already set up a Google Workspace log source, instead follow the [How to onboard Google Workspace logs to Panther](https://docs.panther.com/data-onboarding/supported-logs/googleworkspace#how-to-onboard-google-workspace-logs-to-panther) instructions.
5. On the **Enrichment** page, click the toggle to the right of **User Profiles**.
   * Also set a **Refresh period (min)**. This represents the cadence at which Panther will update profile data with what is stored in Google Workspace.\
     ![On the Enrichment settings screen, there is a User Profiles toggle, with a Refresh period (min) dropdown field.](https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2Fgit-blob-56384362ac6fc89e5efcae4416494890732377dd%2FScreenshot%202023-10-05%20at%202.13.00%20PM.png?alt=media)
6. In the upper-right corner, click **Save.**
   {% endtab %}

{% tab title="Console: Log Sources" %}
**Configure Google Workspace profiles after Google Workspace log source setup from the Log Sources screen**

1. In the left-hand navigation bar of your Panther Console, click **Configure** > **Log Sources**.
2. Locate the Google Workspace log source for which you'd like to set up user profiles, and click its name.
3. In the upper right corner of the log source page, click **Configuration,** then **Edit.**\
   ![A log source named "GSuiteReleaseTest" is shown in the Panther Console. An arrow is drawn from its Configuration button to its Edit button.](https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2Fgit-blob-c34946c4590a8e28c7e84201ec80346d602b36a0%2FScreenshot%202023-06-16%20at%2012.20.12%20PM.png?alt=media)
4. In the upper-right corner, click **Enrichment**.
5. On the **Enrichment** page, click the toggle to the right of **User Profiles**.
   * Also set a **Refresh period (min)**. This represents the cadence at which Panther will update profile data with what is stored in Google Workspace.\
     ![On the Enrichment settings screen, there is a User Profiles toggle, with a Refresh period (min) dropdown field.](https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2Fgit-blob-56384362ac6fc89e5efcae4416494890732377dd%2FScreenshot%202023-10-05%20at%202.13.00%20PM.png?alt=media)
6. In the upper-right corner, click **Save**.
   {% endtab %}
   {% endtabs %}

## Supported profile types

Panther supports pulling user profiles from Google Workspace.

### GSuite.DirectoryUsers

```yaml
schema: GSuite.DirectoryUsers
description: Panther managed Gsuite user profiles
referenceURL: https://developers.google.com/admin-sdk/directory/v1/guides/manage-users#get_all_users
fields:
    - name: match
      description: Keys to match for the lookup table
      type: array
      element:
        type: string
    - name: id
      description: Gsuite internal id for this user
      type: string
      indicators:
        - actor_id
    - name: customerId
      description: Gsuite customer id for this user
      type: string
    - name: primaryEmail
      description: Primary email
      type: string
      indicators:
        - email
    - name: recoveryEmail
      description: Recovery email
      type: string
      indicators:
        - email
    - name: name
      description: User name info
      type: json
    - name: isAdmin
      description: True if admin
      type: boolean
    - name: isDelegatedAdmin
      description: True if delegated admin
      type: boolean
    - name: lastLoginTime
      description: Time of last authentication
      type: timestamp
      timeFormats:
        - rfc3339
    - name: creationTime
      description: Create time for user record
      type: timestamp
      timeFormats:
        - rfc3339
    - name: agreedToTerms
      description: True if agreed to terms
      type: boolean
    - name: hashFunction
      description: Hash function to use
      type: string
    - name: suspended
      description: True if suspended
      type: boolean
    - name: changePasswordAtNextLogin
      description: True if set to change password at next login
      type: boolean
    - name: ipWhitelisted
      description: True if ip is whitelisted
      type: boolean
    - name: orgUnitPath
      description: Path for org
      type: string
    - name: isMailboxSetup
      description: True if mailbox setup
      type: boolean
    - name: includeInGlobalAddressList
      description: True if included in global address list
      type: boolean
    - name: emails
      description: Email profiles
      type: array
      element:
        type: json
    - name: externalIds
      description: External ids
      type: array
      element:
        type: json
    - name: aliases
      description: Email aliases
      type: array
      element:
        type: string
        indicators:
            - email
    - name: nonEditableAliases
      description: Email aliases
      type: array
      element:
        type: string
        indicators:
            - email
```