Identity Provider Profiles

Fetch and store user and device data from identity providers


Panther can retrieve and store user and device data from common identity providers that you've configured as log sources. This information is stored in Panther-managed Lookup Tables, meaning it can be referred to in detection logic and search queries.

Learn more about how to set up profiles for different identity providers on the pages below:

Learn how to view stored Identity Provider Profile data here, and how to view log events with enrichment data here.

Example detection use cases

You can leverage the user and device data from your identity provider profiles in your detections. See the following example use cases:

  • Detect when an action is performed by a terminated employee, which can indicate that off-boarding is incomplete.

  • In a detection's configuration, adjust the alert severity level based on the job title of the event actor. For example, you might use an INFO severity level if some action is taken by a System Administrator, but HIGH if taken by a user with any other role.

  • Detect when the device an action is taken from is a phone and the actor is not a System Administrator.

Last updated