Google Workspace Profiles
Fetch and store Google Workspace user data to use in detections and search
You can configure your Google Workspace log source integration in Panther to pull user profiles into Panther-managed Lookup Tables. This means you can use profile data in detection logic and search queries.
You can customize user profiles in Google Workspaces by following their documentation. You might consider adding custom attributes that would be useful in detection logic, such as the level of permissions expected for that user.
To view the data stored in your Google Workspace profile tables, follow these instructions on how to view profile data in the Data Lake.
You can configure Google Workspace user profiles while you are initially setting up your Google Workspace log source integration in Panther, or later, by editing the source.
During either flow, you'll toggle the Google Workspace profile pulling setting on, then set the cadence at which you'd like profile data to be refreshed.
In order to enable Google Workspace user profiles in Panther, you must first (or concurrently) onboard Google Workspace as a log source. It is not possible to set up an Google Workspace user profiles integration without onboarding Google Workspace as a log source in Panther.
In order to pull Google Workspace user profiles into Panther, the following configurations must be set:
- Your Google Workspace Cloud App must have the
https://www.googleapis.com/auth/admin.directory.user.readonly
scope. - The user who created the Google Cloud App must have read users privileges.
- Follow these instructions on how to create a new Google Workspace source in Panther, paying close attention to the Enable user profiles field.
You can set up Google Workspace profiles after you've already created a Google Workspace log source in Panther, either from the Enrichment Providers tab or the Log Sources tab in the Console.
Console: Enrichment Providers
Console: Log Sources
- 1.In the left-hand navigation bar of your Panther Console, click Configure > Enrichment Providers.
- 2.In the upper-right corner, click Create New.
- 3.Click Google Workspace.
- 4.From the popup modal listing your already created Google Workspace log sources in Panther, click the one you'd like to pull profile data from.
- If you have not already set up a Google Workspace log source, instead follow the How to onboard Google Workspace logs to Panther instructions.
- 5.On the Enrichment page, click the toggle to the right of User Profiles.
- Also set a Refresh period (min). This represents the cadence at which Panther will update profile data with what is stored in Google Workspace.
- 6.In the upper-right corner, click Save.
- 1.In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.
- 2.Locate the Google Workspace log source for which you'd like to set up user profiles, and click its name.
- 3.In the upper right corner of the log source page, click Configuration, then Edit.
- 4.In the upper-right corner, click Enrichment.
- 5.On the Enrichment page, click the toggle to the right of User Profiles.
- Also set a Refresh period (min). This represents the cadence at which Panther will update profile data with what is stored in Google Workspace.
- 6.In the upper-right corner, click Save.
Panther supports pulling user profiles from Google Workspace.
schema: GSuite.DirectoryUsers
description: Panther managed Gsuite user profiles
referenceURL: https://developers.google.com/admin-sdk/directory/v1/guides/manage-users#get_all_users
fields:
- name: match
description: Keys to match for the lookup table
type: array
element:
type: string
- name: id
description: Gsuite internal id for this user
type: string
indicators:
- actor_id
- name: customerId
description: Gsuite customer id for this user
type: string
- name: primaryEmail
description: Primary email
type: string
indicators:
- email
- name: recoveryEmail
description: Recovery email
type: string
indicators:
- email
- name: name
description: User name info
type: json
- name: isAdmin
description: True if admin
type: boolean
- name: isDelegatedAdmin
description: True if delegated admin
type: boolean
- name: lastLoginTime
description: Time of last authentication
type: timestamp
timeFormats:
- rfc3339
- name: creationTime
description: Create time for user record
type: timestamp
timeFormats:
- rfc3339
- name: agreedToTerms
description: True if agreed to terms
type: boolean
- name: hashFunction
description: Hash function to use
type: string
- name: suspended
description: True if suspended
type: boolean
- name: changePasswordAtNextLogin
description: True if set to change password at next login
type: boolean
- name: ipWhitelisted
description: True if ip is whitelisted
type: boolean
- name: orgUnitPath
description: Path for org
type: string
- name: isMailboxSetup
description: True if mailbox setup
type: boolean
- name: includeInGlobalAddressList
description: True if included in global address list
type: boolean
- name: emails
description: Email profiles
type: array
element:
type: json
- name: externalIds
description: External ids
type: array
element:
type: json
- name: aliases
description: Email aliases
type: array
element:
type: string
indicators:
- email
- name: nonEditableAliases
description: Email aliases
type: array
element:
type: string
indicators:
- email
Last modified 1mo ago