Google Workspace Profiles

Fetch and store Google Workspace user data to use in detections and search

Overview

You can configure your Google Workspace log source integration in Panther to pull user profiles into Panther-managed Enrichments. This means you can use profile data in detection logic and search queries.

You can customize user profiles in Google Workspaces by following their documentation. You might consider adding custom attributes that would be useful in detection logic, such as the level of permissions expected for that user.

Learn how to view stored enrichment data here.

Example detection use cases

You can leverage Google user profile data in your detections. See the following example use cases:

Detect when an action is performed by a terminated employee, which can indicate that off-boarding is incomplete.
In a detection's configuration, adjust the alert severity level based on the job title of the event actor. For example, you might use an INFO severity level if some action is taken by a System Administrator, but HIGH if taken by a user with any other role.

How to set up Google Workspace user profiles in Panther

You can configure Google Workspace user profiles while you are initially setting up your Google Workspace log source integration in Panther, or later, by editing the source.

During either flow, you'll toggle the Google Workspace profile pulling setting on, then set the cadence at which you'd like profile data to be refreshed.

In order to enable Google Workspace user profiles in Panther, you must first (or concurrently) onboard Google Workspace as a log source. It is not possible to set up an Google Workspace user profiles integration without onboarding Google Workspace as a log source in Panther.

Prerequisites for Google Workspace user profiles

In order to pull Google Workspace user profiles into Panther, the following configurations must be set:

Your Google Workspace Cloud App must have the https://www.googleapis.com/auth/admin.directory.user.readonly scope.
The user who created the Google Cloud App must have read users privileges.

Configure Google Workspace profiles in Panther during Google Workspace source setup

Follow these instructions on how to create a new Google Workspace source in Panther, paying close attention to the Enable user profiles field.

Configure Google Workspace profiles in Panther after Google Workspace source setup

You can set up Google Workspace profiles after you've already created a Google Workspace log source in Panther, either from the Enrichment Providers tab or the Log Sources tab in the Console.

Configure Google Workspace profiles after Google Workspace log source setup from the Enrichment Providers screen

In the left-hand navigation bar of your Panther Console, click Configure > Enrichment Providers.
In the upper-right corner, click Create New.
Click Google Workspace.
From the popup modal listing your already created Google Workspace log sources in Panther, click the one you'd like to pull profile data from.
- If you have not already set up a Google Workspace log source, instead follow the How to onboard Google Workspace logs to Panther instructions.
On the Enrichment page, click the toggle to the right of User Profiles.
- Also set a Refresh period (min). This represents the cadence at which Panther will update profile data with what is stored in Google Workspace.
In the upper-right corner, click Save.

Supported profile types

Panther supports pulling user profiles from Google Workspace.

GSuite.DirectoryUsers

schema: GSuite.DirectoryUsers
description: Panther managed Gsuite user profiles
referenceURL: https://developers.google.com/admin-sdk/directory/v1/guides/manage-users#get_all_users
fields:
    - name: match
      description: Keys to match for the lookup table
      type: array
      element:
        type: string
    - name: id
      description: Gsuite internal id for this user
      type: string
      indicators:
        - actor_id
    - name: customerId
      description: Gsuite customer id for this user
      type: string
    - name: primaryEmail
      description: Primary email
      type: string
      indicators:
        - email
    - name: recoveryEmail
      description: Recovery email
      type: string
      indicators:
        - email
    - name: name
      description: User name info
      type: json
    - name: isAdmin
      description: True if admin
      type: boolean
    - name: isDelegatedAdmin
      description: True if delegated admin
      type: boolean
    - name: lastLoginTime
      description: Time of last authentication
      type: timestamp
      timeFormats:
        - rfc3339
    - name: creationTime
      description: Create time for user record
      type: timestamp
      timeFormats:
        - rfc3339
    - name: agreedToTerms
      description: True if agreed to terms
      type: boolean
    - name: hashFunction
      description: Hash function to use
      type: string
    - name: suspended
      description: True if suspended
      type: boolean
    - name: changePasswordAtNextLogin
      description: True if set to change password at next login
      type: boolean
    - name: ipWhitelisted
      description: True if ip is whitelisted
      type: boolean
    - name: orgUnitPath
      description: Path for org
      type: string
    - name: isMailboxSetup
      description: True if mailbox setup
      type: boolean
    - name: includeInGlobalAddressList
      description: True if included in global address list
      type: boolean
    - name: emails
      description: Email profiles
      type: array
      element:
        type: json
    - name: externalIds
      description: External ids
      type: array
      element:
        type: json
    - name: aliases
      description: Email aliases
      type: array
      element:
        type: string
        indicators:
            - email
    - name: nonEditableAliases
      description: Email aliases
      type: array
      element:
        type: string
        indicators:
            - email

PreviousAnomali ThreatStream NextGreyNoise (Beta)

Last updated 7 days ago

Was this helpful?