Google Workspace Profiles

Fetch and store Google Workspace user data to use in detections and search

Overview

You can configure your Google Workspace log source integration in Panther to pull user profiles into Panther-managed Lookup Tables. This means you can use profile data in detection logic and search queries.

You can customize user profiles in Google Workspaces by following their documentation. You might consider adding custom attributes that would be useful in detection logic, such as the level of permissions expected for that user.

To view the data stored in your Google Workspace profile tables, follow these instructions on how to view profile data in the Data Lake.

How to set up Google Workspace user profiles in Panther

You can configure Google Workspace user profiles while you are initially setting up your Google Workspace log source integration in Panther, or later, by editing the source.

During either flow, you'll toggle the Google Workspace profile pulling setting on, then set the cadence at which you'd like profile data to be refreshed.

In order to enable Google Workspace user profiles in Panther, you must first (or concurrently) onboard Google Workspace as a log source. It is not possible to set up an Google Workspace user profiles integration without onboarding Google Workspace as a log source in Panther.

Prerequisites for Google Workspace user profiles

In order to pull Google Workspace user profiles into Panther, the following configurations must be set:

  • Your Google Workspace Cloud App must have the https://www.googleapis.com/auth/admin.directory.user.readonly scope.

  • The user who created the Google Cloud App must have read users privileges.

Configure Google Workspace profiles in Panther during Google Workspace source setup

Configure Google Workspace profiles in Panther after Google Workspace source setup

You can set up Google Workspace profiles after you've already created a Google Workspace log source in Panther, either from the Enrichment Providers tab or the Log Sources tab in the Console.

Configure Google Workspace profiles after Google Workspace log source setup from the Enrichment Providers screen

  1. In the left-hand navigation bar of your Panther Console, click Configure > Enrichment Providers.

  2. In the upper-right corner, click Create New.

  3. Click Google Workspace.

  4. On the Enrichment page, click the toggle to the right of User Profiles.

  5. In the upper-right corner, click Save.

Supported profile types

Panther supports pulling user profiles from Google Workspace.

GSuite.DirectoryUsers

schema: GSuite.DirectoryUsers
description: Panther managed Gsuite user profiles
referenceURL: https://developers.google.com/admin-sdk/directory/v1/guides/manage-users#get_all_users
fields:
    - name: match
      description: Keys to match for the lookup table
      type: array
      element:
        type: string
    - name: id
      description: Gsuite internal id for this user
      type: string
      indicators:
        - actor_id
    - name: customerId
      description: Gsuite customer id for this user
      type: string
    - name: primaryEmail
      description: Primary email
      type: string
      indicators:
        - email
    - name: recoveryEmail
      description: Recovery email
      type: string
      indicators:
        - email
    - name: name
      description: User name info
      type: json
    - name: isAdmin
      description: True if admin
      type: boolean
    - name: isDelegatedAdmin
      description: True if delegated admin
      type: boolean
    - name: lastLoginTime
      description: Time of last authentication
      type: timestamp
      timeFormats:
        - rfc3339
    - name: creationTime
      description: Create time for user record
      type: timestamp
      timeFormats:
        - rfc3339
    - name: agreedToTerms
      description: True if agreed to terms
      type: boolean
    - name: hashFunction
      description: Hash function to use
      type: string
    - name: suspended
      description: True if suspended
      type: boolean
    - name: changePasswordAtNextLogin
      description: True if set to change password at next login
      type: boolean
    - name: ipWhitelisted
      description: True if ip is whitelisted
      type: boolean
    - name: orgUnitPath
      description: Path for org
      type: string
    - name: isMailboxSetup
      description: True if mailbox setup
      type: boolean
    - name: includeInGlobalAddressList
      description: True if included in global address list
      type: boolean
    - name: emails
      description: Email profiles
      type: array
      element:
        type: json
    - name: externalIds
      description: External ids
      type: array
      element:
        type: json
    - name: aliases
      description: Email aliases
      type: array
      element:
        type: string
        indicators:
            - email
    - name: nonEditableAliases
      description: Email aliases
      type: array
      element:
        type: string
        indicators:
            - email

Last updated

#1924: [don't merge until ~Oct] Notion Logs (Beta)

Change request updated