Remediate unusual Google Admin login events through Panther alerts

Google Workspace Admin Directory

open_in_full

Import

This use case automates the response to unusual login alerts Panther SIEM detects. It streamlines investigating potential security threats, notifying team members via Slack, checking IP reputations with AbuseIPDB, and managing user access in the Google Admin Directory.

Automate Access Management

Integration

Panther

Explore canvas

Automate Access Management

Flow Automation Highlights

Unusual Login Alert Processing: Panther alerts are automatically processed, triggering immediate investigation and response actions. This replaces manual alert triage, reducing response times from hours to minutes and ensuring consistent handling of potential security threats.

Slack Notification System: Relevant team members are promptly notified via Slack about the unusual login event. This automated communication eliminates the need for manual updates, ensuring swift team awareness and collaboration on potential security incidents.

IP Reputation Check: AbuseIPDB is automatically queried to assess the reputation of the IP address associated with the unusual login. This replaces time-consuming manual lookups, providing instant context for rapid decision-making on potential threats.

User Access Management: Based on the investigation's results, the Google Admin Directory is automatically accessed to manage user permissions. This automation streamlines suspending or unsuspending user accounts, significantly reducing the time and potential for human error in access control.

Orchestration Toolbox

Panther: In this use case, Panther is the initial alert system for detecting unusual login events. It triggers the workflow by sending alerts about potential security threats, enabling rapid response to suspicious activities.

Slack: Slack is the primary communication channel for notifying team members about the unusual login event. It ensures quick dissemination of critical information, facilitating immediate awareness and collaborative response among security teams.

AbuseIPDB: AbuseIPDB is utilized to perform automated IP reputation checks. It provides crucial context about the IP address associated with the unusual login, helping to assess the potential threat level and inform decision-making quickly.

Google Admin Directory: Google Admin Directory is the central tool for managing user access in this workflow. It enables automated actions to modify user permissions, such as suspending or unsuspending accounts based on the investigation results and streamlining access control processes.