Google Workspace Profiles (Beta)

Fetch and store Google Workspace user data to use in detections and search

Overview

Pulling Google Workspace user and device profiles is in closed beta starting with Panther version 1.72.

You can configure your Google Workspace log source integration in Panther to pull user profiles into Panther-managed Lookup Tables. This means you can use profile data in detection logic and search queries.

You can customize user profiles in Google Workspaces by following their documentation. You might consider adding custom attributes that would be useful in detection logic, such as the level of permissions expected for that user.

To view the data stored in your Google Workspace profile tables, follow these instructions on how to view profile data in the Data Lake.

How to set up Google Workspace user profiles in Panther

You can configure Google Workspace user profiles while you are initially setting up your Google Workspace log source integration in Panther, or later, by editing the source.

During either flow, you'll toggle the Google Workspace profile pulling setting on, then set the cadence at which you'd like profile data to be refreshed.

Prerequisites for Google Workspace user profiles

In order to pull Google Workspace user profiles into Panther, the following configurations must be set:

Your Google Workspace Cloud App must have the https://www.googleapis.com/auth/admin.directory.user.readonly scope.
The user who created the Google Cloud App must have read users privileges.

Configure Google Workspace profiles in Panther during Google Workspace source setup

Follow these instructions on how to create a new Google Workspace source in Panther, paying close attention to the Enable user profiles field.

Configure Google Workspace profiles in Panther after Google Workspace source setup

To set up Google Workspace profiles after you've already created an Google Workspace log source in Panther:

In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.
Locate the Google Workspace log source for which you'd like to set up user profiles, and click its name.
In the upper right corner of the log source page, click Configuration, then Edit.
On the Configure page for your Google Workspace log source, click the Enable user profiles and/or Enable device profiles checkboxes.
- For each profile you enable, set the Refresh period (min) value. This represents the cadence at which Panther will update profile data with what is stored in Google Workspace.
In the upper-right corner, click Save.

Supported profile types

Panther supports pulling user profiles from Google Workspace.

GSuite.DirectoryUsers

schema: GSuite.DirectoryUsers
description: Panther managed Gsuite user profiles
referenceURL: https://developers.google.com/admin-sdk/directory/v1/guides/manage-users#get_all_users
fields:
    - name: match
      description: Keys to match for the lookup table
      type: array
      element:
        type: string
    - name: id
      description: Gsuite internal id for this user
      type: string
      indicators:
        - actor_id
    - name: customerId
      description: Gsuite customer id for this user
      type: string
    - name: primaryEmail
      description: Primary email
      type: string
      indicators:
        - email
    - name: recoveryEmail
      description: Recovery email
      type: string
      indicators:
        - email
    - name: name
      description: User name info
      type: json
    - name: isAdmin
      description: True if admin
      type: boolean
    - name: isDelegatedAdmin
      description: True if delegated admin
      type: boolean
    - name: lastLoginTime
      description: Time of last authentication
      type: timestamp
      timeFormats:
        - rfc3339
    - name: creationTime
      description: Create time for user record
      type: timestamp
      timeFormats:
        - rfc3339
    - name: agreedToTerms
      description: True if agreed to terms
      type: boolean
    - name: hashFunction
      description: Hash function to use
      type: string
    - name: suspended
      description: True if suspended
      type: boolean
    - name: changePasswordAtNextLogin
      description: True if set to change password at next login
      type: boolean
    - name: ipWhitelisted
      description: True if ip is whitelisted
      type: boolean
    - name: orgUnitPath
      description: Path for org
      type: string
    - name: isMailboxSetup
      description: True if mailbox setup
      type: boolean
    - name: includeInGlobalAddressList
      description: True if included in global address list
      type: boolean
    - name: emails
      description: Email profiles
      type: array
      element:
        type: json
    - name: externalIds
      description: External ids
      type: array
      element:
        type: json
    - name: aliases
      description: Email aliases
      type: array
      element:
        type: string
        indicators:
            - email
    - name: nonEditableAliases
      description: Email aliases
      type: array
      element:
        type: string
        indicators:
            - email

PreviousOkta Profiles (Beta)NextGreyNoise

Last updated 2 years ago

Was this helpful?