Identity Provider Profiles

Fetch and store user and device data from identity providers

Overview

Panther can retrieve and store user and device data from common identity providers that you've configured as log sources. This information is stored in Panther-managed Lookup Tables, meaning it can be referred to in detection logic and search queries.

Learn more about how to set up profiles for different identity providers on the pages below:

Example detection use cases

You can leverage the user and device data from your identity provider profiles in your detections. See the following example use cases:

  • Detect when an action is performed by a terminated employee, which can indicate that off-boarding is incomplete.

  • In a detection's configuration, adjust the alert severity level based on the job title of the event actor. For example, you might use an INFO severity level if some action is taken by a System Administrator, but HIGH if taken by a user with any other role.

  • Detect when the device an action is taken from is a phone and the actor is not a System Administrator.

How to view profile data in the Data Lake

Once a profile has been set up, you can see the data it's storing by querying from its table in the Data Lake.

  1. In left-side navigation bar in your Panther Console, click Configure > Enrichment Providers.

  2. Locate the Enrichment Provider you'd like to view the data of, and click its name.

  3. In the upper-right corner, click View in Data Explorer.

    • You will be redirected to Data Explorer, and a SELECT query will be pre-populated.

  4. Below the SQL editor, click Run Query.

    • You can view table data in the Results section, below the SQL editor.

Last updated

#1924: [don't merge until ~Oct] Notion Logs (Beta)

Change request updated