Fable Security — Employee Attribute Library

Last updated: March 12, 2026

This document catalogs every employee attribute that Fable's Employee Risk Engine computes. For each attribute you will find a detailed definition, the integration it relies on, and the specific API scopes required.

How to read this document: Attributes are organized by category. Each entry includes a definition explaining how the attribute is determined, followed by the integration(s) that supply the underlying data and the OAuth/API scopes those integrations require. If your organization has not enabled a particular integration, attributes sourced from it will not be available. Some attributes are parameterized — they can be configured with different lookback windows, thresholds, and filters to fine-tune risk detection.

1. Employee Directory & Identity

These attributes describe who an employee is — their role, department, location, and position in the organization. They are derived from your primary identity provider or HR system.

Employee Department

Description: The department the employee belongs to (e.g., Engineering, Sales, Finance). This value is pulled directly from the department field in your identity provider or HR system.

Integration & Required Scopes:

  • Google Workspace: admin.directory.user.readonly

  • Microsoft 365: User.Read.AllDirectory.Read.All

  • Okta: okta.users.read

  • Workday: Organizations & Roles, System

  • BambooHR: Job Information (View Only)

  • On-Prem Directory: CSV upload API

Employee Organization

Description: The organizational unit or business division the employee sits in. This is the top-level organizational grouping from your directory — for example, a Google Workspace Org Unit or an Azure AD department hierarchy.

Integration & Required Scopes:

  • Google Workspace: admin.directory.user.readonly

  • Microsoft 365: User.Read.AllDirectory.Read.All

  • Okta: okta.users.read

  • Workday: Organizations & Roles, System

  • BambooHR: Job Information (View Only)

  • On-Prem Directory: CSV upload API

Employee Job Title

Description: The employee's current job title as recorded in your identity provider or HR system (e.g., "Senior Software Engineer", "VP of Marketing").

Integration & Required Scopes:

  • Google Workspace: admin.directory.user.readonly

  • Microsoft 365: User.Read.AllDirectory.Read.All

  • Okta: okta.users.read

  • Workday: Jobs & Positions, System

  • BambooHR: Job Information (View Only)

  • On-Prem Directory: CSV upload API

Employee Type

Description: The employment classification assigned by your identity provider. Common values include Member, Guest, and External — reflecting whether the person is a full organizational member or an external collaborator.

Integration & Required Scopes:

  • Google Workspace: admin.directory.user.readonly

  • Microsoft 365: User.Read.AllDirectory.Read.All

  • Okta: okta.users.read

  • Workday: Staffing, System

  • BambooHR: Employment Status (View Only)

  • On-Prem Directory: CSV upload API

Employment Status

Description: Whether the employee is classified as a contractor, consultant, or full-time employee. Fable determines this by inspecting the employee's job title: if it contains "contractor" or "outside vendor" the employee is classified as a Contractor; if it contains "consultant" they are classified as a Consultant; otherwise they are classified as Full-Time.

Integration & Required Scopes:

  • Google Workspace: admin.directory.user.readonly

  • Microsoft 365: User.Read.AllDirectory.Read.All

  • Okta: okta.users.read

  • Workday: Staffing, System

  • BambooHR: Employment Status (View Only)

  • On-Prem Directory: CSV upload API

Employee Start Date

Description: The date the employee started at the organization, as recorded in your identity provider or HR system.

Integration & Required Scopes:

  • Google Workspace: admin.directory.user.readonly

  • Microsoft 365: User.Read.AllDirectory.Read.All

  • Okta: okta.users.read

  • Workday: Staffing, System

  • BambooHR: Hire Date (View Only)

  • On-Prem Directory: CSV upload API

Manager Email

Description: The email address of the employee's direct manager, as recorded in your identity provider or HR system.

Integration & Required Scopes:

  • Google Workspace: admin.directory.user.readonly

  • Microsoft 365: User.Read.AllDirectory.Read.All

  • Okta: okta.users.read

  • Workday: Organizations & Roles, System

  • BambooHR: Reporting To (View Only)

  • On-Prem Directory: CSV upload API

Chain of Command Emails

Description: The full reporting chain from the employee's direct manager up through every level of management to the top of the organization. Fable builds this by recursively following the manager relationship in your directory.

Integration & Required Scopes:

  • Google Workspace: admin.directory.user.readonly

  • Microsoft 365: User.Read.AllDirectory.Read.All

  • Okta: okta.users.read

  • Workday: Organizations & Roles, System

  • BambooHR: Reporting To (View Only)

  • On-Prem Directory: CSV upload API

Is VIP

Description: Whether the employee is considered a high-value target. Fable determines VIP status by first checking if the employee is a C-Level executive. If not, it pattern-matches the employee's job title for senior leadership keywords including "Chief", "Director", "VP", and "Head of" (case-insensitive). An employee matching either condition is flagged as a VIP.

Integration & Required Scopes:

  • Google Workspace: admin.directory.user.readonly

  • Microsoft 365: User.Read.AllDirectory.Read.All

  • Okta: okta.users.read

  • Workday: Worker Profile and Skills, System

  • BambooHR: Basic Info (View Only)

  • On-Prem Directory: CSV upload API

Is C-Level Executive

Description: Whether the employee holds a C-suite title. Fable checks the employee's job title for keywords such as "chief", "ceo", "cfo", "coo", "cto", "cmo", and "cio" using word-boundary matching. False positives like "chief resident" and "chief architect" are explicitly excluded.

Integration & Required Scopes:

  • Google Workspace: admin.directory.user.readonly

  • Microsoft 365: User.Read.AllDirectory.Read.All

  • Okta: okta.users.read

  • Workday: Jobs & Positions, System

  • BambooHR: Job Information (View Only)

  • On-Prem Directory: CSV upload API

Is IT Admin

Description: Whether the employee has IT administrator privileges. Fable checks whether the employee's directory record has an admin or delegated admin flag set to true — for example, a Google Workspace Super Admin or an Azure AD Global Administrator.

Integration & Required Scopes:

  • Google Workspace: admin.directory.rolemanagement.readonly

Employee Role Responsibilities

Description: A text description of the employee's role and responsibilities, pulled from the role/description field in your identity provider or HR system.

Integration & Required Scopes:

  • Google Workspace: admin.directory.user.readonly

  • Microsoft 365: User.Read.AllDirectory.Read.All

  • Okta: okta.users.read

  • Workday: Worker Profile and Skills, System

  • BambooHR: Job Information (View Only)

  • On-Prem Directory: CSV upload API

Business Entity

Description: The business entity or legal entity the employee belongs to (e.g., a subsidiary or regional entity), as recorded in your directory or HR system.

Integration & Required Scopes:

  • Google Workspace: admin.directory.user.readonly

  • Microsoft 365: User.Read.AllDirectory.Read.All

  • Okta: okta.users.read

  • Workday: Organizations & Roles, System

  • BambooHR: Department (View Only)

  • On-Prem Directory: CSV upload API

Work Location — City

Description: The city where the employee is based, as recorded in your identity provider or HR system.

Integration & Required Scopes:

  • Google Workspace: admin.directory.user.readonly

  • Microsoft 365: User.Read.AllDirectory.Read.All

  • Okta: okta.users.read

  • Workday: Staffing, System

  • BambooHR: Basic Info (View Only)

  • On-Prem Directory: CSV upload API

Work Location — Country

Description: The country where the employee is based, as recorded in your identity provider or HR system.

Integration & Required Scopes:

  • Google Workspace: admin.directory.user.readonly

  • Microsoft 365: User.Read.AllDirectory.Read.All

  • Okta: okta.users.read

  • Workday: Staffing, System

  • BambooHR: Basic Info (View Only)

  • On-Prem Directory: CSV upload API

Work Location — Region

Description: The state, province, or region where the employee is based, as recorded in your identity provider or HR system.

Integration & Required Scopes:

  • Google Workspace: admin.directory.user.readonly

  • Microsoft 365: User.Read.AllDirectory.Read.All

  • Okta: okta.users.read

  • Workday: Staffing, System

  • BambooHR: Basic Info (View Only)

  • On-Prem Directory: CSV upload API

Is Current Employee

Description: Whether the employee is an active member of the organization. Fable marks an employee as current if their directory status is "active" (or not set) AND their account type is "member" (or not set). Suspended, deleted, or guest accounts are not considered current employees.

Integration & Required Scopes:

  • Fable (internal): No customer scopes required

Groups Member Of

Description: The directory groups the employee belongs to — for example, Google Groups, Azure AD security groups, or distribution lists. Useful for understanding access privileges and communication channels.

Integration & Required Scopes:

  • Google Workspace: admin.directory.group.readonlyadmin.directory.group.member.readonly

  • Microsoft 365: Group.Read.AllGroupMember.Read.All

2. MFA & Authentication

These attributes describe how well an employee is protected by multi-factor authentication and what authentication methods they use.

MFA Types

Description: The types of MFA authenticators enrolled for the employee. Fable normalizes MFA methods across providers into standard categories: SMS, email, TOTP (time-based one-time password), HOTP (event-based one-time password), security key (hardware U2F/FIDO2), WebAuthn, push notification, passkey, security question, and password.

Integration & Required Scopes:

  • Google Workspace: admin.directory.user.readonly

  • Microsoft 365: UserAuthenticationMethod.Read.All

  • Okta: okta.factors.read

Apps with MFA Enabled

Description: Applications where the employee has MFA turned on, based on SSO authentication records.

Integration & Required Scopes:

  • Google Workspace: admin.directory.user.readonly

  • Microsoft 365: UserAuthenticationMethod.Read.All

  • Okta: okta.factors.read

Apps with MFA Not Enforced

Description: Applications assigned to the employee where MFA is not required by policy.

Integration & Required Scopes:

  • Google Workspace: admin.directory.user.readonly

  • Microsoft 365: UserAuthenticationMethod.Read.All

  • Okta: okta.factors.read

Apps with Weak MFA Usage

Description: Applications where the employee authenticates using a non-phishing-resistant MFA method. Fable classifies MFA methods as "weak" if they lack phishing resistance — for example, SMS, email, or TOTP codes. Phishing-resistant methods like hardware security keys and WebAuthn with biometrics are considered strong. This attribute lists apps where only weak methods were used over the last 3 months.

Integration & Required Scopes:

  • Okta: okta.factors.readokta.logs.read

Google MFA Types Used to Login (Last 3 Months)

Description: The specific MFA methods the employee actually used when signing in to Google over the past 90 days — as opposed to what they have enrolled. This shows real-world authentication behavior.

Integration & Required Scopes:

  • Google Workspace: admin.directory.user.readonly

Has Google Recovery Email

Description: Whether the employee has a personal recovery email set on their Google account. Recovery emails can be a security risk if they use a personal email that may have weaker protections.

Integration & Required Scopes:

  • Google Workspace: admin.directory.user.readonly

Google Recovery Email

Description: The actual recovery email address configured on the employee's Google account.

Integration & Required Scopes:

  • Google Workspace: admin.directory.user.readonly

Okta Recovery Email

Description: The recovery email address configured on the employee's Okta account.

Integration & Required Scopes:

  • Okta: okta.users.read

MFA Not Enabled on Main Workspace

Description: Whether the employee does not have MFA enabled on their primary workspace (Google Workspace, Microsoft 365, or Okta). This flags employees who lack MFA on their main identity provider account.

Integration & Required Scopes:

  • Google Workspace: admin.directory.user.readonly

  • Microsoft 365: UserAuthenticationMethod.Read.All

  • Okta: okta.factors.read

3. Password Security

These attributes assess password hygiene and credential exposure risk.

Has Reused Password (Last 3 Months)

Description: Whether the employee reused a password across websites, detected via Chrome browser reporting. When Chrome detects that a saved password has been entered on a different site, it generates a password reuse event. Requires Chrome activity reporting to be enabled in Google Workspace.

Integration & Required Scopes:

  • Google Workspace: admin.reports.audit.readonly (Chrome activity reporting must be enabled)

Has Weak Password (Google)

Description: Whether the employee's Google account password is classified as weak based on Google's password strength analysis.

Integration & Required Scopes:

  • Google Workspace: admin.reports.usage.readonly

Has Non-Compliant Password (Google)

Description: Whether the employee's Google account password does not meet the organization's configured password policy (e.g., minimum length, complexity requirements).

Integration & Required Scopes:

  • Google Workspace: admin.reports.usage.readonly

Has Compromised Password

Description: Whether the employee has a compromised or weak password as detected by CrowdStrike Identity Threat Protection. Fable checks CrowdStrike risk factors for the "WEAK_PASSWORD" type — if present, the employee is flagged.

Integration & Required Scopes:

  • CrowdStrike: Hosts (Read), Identity Protection Entities (Read), Identity Protection GraphQL (Write*)

* CrowdStrike Identity Protection GraphQL requires Write access because the API uses HTTP POST for both queries and mutations. Fable only performs read operations.

Latest Date of Okta Password Change

Description: The last time the employee changed their Okta password, as reported by the Okta user profile.

Integration & Required Scopes:

  • Okta: okta.users.read

4. Login Behavior & Location

These attributes analyze where and how employees sign in, helping identify anomalous access patterns.

Has Suspicious Login (Last 3 Months)

Description: Whether the employee had a login flagged as suspicious by your identity provider. Suspicious logins include events like impossible travel (logging in from two distant locations in quick succession), logins from known risky IP addresses, or sign-ins that violate conditional access policies.

Integration & Required Scopes:

  • Google Workspace: admin.reports.audit.readonly

  • Microsoft 365: AuditLog.Read.AllIdentityRiskEvent.Read.All

Number of IP Addresses Used (Last 3 Months)

Description: How many distinct IP addresses the employee logged in from over the past 90 days. A high number may indicate a mobile workforce — or compromised credentials being used from multiple locations.

Integration & Required Scopes:

  • Google Workspace: admin.reports.audit.readonly

  • Microsoft 365: AuditLog.Read.All

Number of Cities Logged In From (Last 3 Months)

Description: How many distinct cities the employee logged in from over the past 90 days, based on IP geolocation.

Integration & Required Scopes:

  • Google Workspace: admin.reports.audit.readonly

  • Microsoft 365: AuditLog.Read.All

Has Login Outside USA (Last 3 Months)

Description: Whether the employee logged in from an IP address geolocated outside the United States in the past 90 days.

Integration & Required Scopes:

  • Google Workspace: admin.reports.audit.readonly

  • Microsoft 365: AuditLog.Read.All

Login from At-Risk Countries (Last 3 Months)

Description: Countries classified as high risk that the employee logged in from. Fable's at-risk country list includes: China, Netherlands, Nigeria, North Korea, Iran, and Russia.

Integration & Required Scopes:

  • Google Workspace: admin.reports.audit.readonly

  • Microsoft 365: AuditLog.Read.All

Last Login Date (Last 3 Months)

Description: The most recent date the employee signed in to their workspace account.

Integration & Required Scopes:

  • Google Workspace: admin.reports.audit.readonly

  • Microsoft 365: AuditLog.Read.All

Latest Date of Activity

Description: The most recent date of any tracked employee activity in the workspace (e.g., email, document access, drive usage), as reported by usage reports.

Integration & Required Scopes:

  • Google Workspace: admin.reports.usage.readonly

OFAC Country Login Events

Description: Whether the employee logged in from countries on the OFAC (Office of Foreign Assets Control) sanctions list. OFAC-sanctioned countries are nations subject to U.S. government trade and financial restrictions. This attribute is parameterized: Lookback: 7 / 30 / 90 days · Threshold: 1 / 10 / 100 events.

Integration & Required Scopes:

  • Google Workspace: admin.reports.audit.readonly

  • Microsoft 365: AuditLog.Read.All

  • Okta — okta.logs.read

Multiple Country Login Events

Description: Whether the employee logged in from an unusually high number of countries in a short period, which may indicate credential compromise or account sharing. This attribute is parameterized: Lookback: 1 / 7 / 30 days · Threshold: 3 / 5 / 10 countries · Filter: Any / Failure / Success.

Integration & Required Scopes:

  • Google Workspace: admin.reports.audit.readonly

  • Microsoft 365: AuditLog.Read.All

5. Device Posture

These attributes describe the security state of employee devices (laptops, phones, tablets).

Device OS

Description: The operating system(s) of the employee's registered devices (e.g., Windows 11, macOS 15, iOS 18, Android 14).

Integration & Required Scopes:

  • Google Workspace: admin.directory.device.mobile.readonly

  • Microsoft 365: DeviceManagementManagedDevices.Read.AllDevice.Read.All

Active Device OS

Description: The operating system(s) of devices the employee has actively used recently, as opposed to all registered devices.

Integration & Required Scopes:

  • Google Workspace: admin.directory.device.mobile.readonly

  • Microsoft 365: DeviceManagementManagedDevices.Read.AllDevice.Read.All

Device Security Patch Level

Description: The latest security patch level installed on the employee's device(s), indicating how up-to-date their security updates are.

Integration & Required Scopes:

  • Google Workspace: admin.directory.device.mobile.readonly

  • Microsoft 365: DeviceManagementManagedDevices.Read.AllDevice.Read.All

Number of Devices

Description: Total number of devices registered to the employee in your MDM or device management system.

Integration & Required Scopes:

  • Google Workspace: admin.directory.device.mobile.readonly

  • Microsoft 365: DeviceManagementManagedDevices.Read.AllDevice.Read.All

Number of Devices Without Password

Description: Devices registered to the employee that do not have a passcode, PIN, or screen lock configured.

Integration & Required Scopes:

  • Google Workspace: admin.directory.device.mobile.readonly

  • Microsoft 365: DeviceManagementManagedDevices.Read.AllDevice.Read.All

Number of Compromised Devices

Description: Devices flagged as compromised by your MDM provider — for example, devices that are jailbroken (iOS), rooted (Android), or have had their security controls tampered with. Fable checks the device's compromise status field for a "compromise detected" flag.

Integration & Required Scopes:

  • Google Workspace: admin.directory.device.mobile.readonly

  • Microsoft 365: DeviceManagementManagedDevices.Read.AllDevice.Read.All

Number of Unencrypted Devices

Description: Devices that do not have full-disk encryption enabled (e.g., BitLocker on Windows, FileVault on macOS).

Integration & Required Scopes:

  • Google Workspace: admin.directory.device.mobile.readonly

  • Microsoft 365: DeviceManagementManagedDevices.Read.AllDevice.Read.All

Number of Unmanaged Devices

Description: Devices not enrolled in the organization's MDM/UEM solution, meaning they lack centralized security policy enforcement.

Integration & Required Scopes:

  • Google Workspace: admin.directory.device.mobile.readonly

  • Microsoft 365: DeviceManagementManagedDevices.Read.AllDevice.Read.All

Number of Non-Compliant Devices

Description: Devices that fail the organization's compliance policies as defined in your MDM system (e.g., missing required encryption, outdated OS, no passcode, missing required apps).

Integration & Required Scopes:

  • Microsoft 365: DeviceManagementManagedDevices.Read.AllDeviceManagementConfiguration.Read.All

OS Version Currency

Description: Whether the employee is running an outdated operating system version. Fable compares the device's OS version against known current versions for each platform (iOS, iPadOS, Windows, macOS, Linux, Android) and flags devices that are behind by a configurable number of major versions. This attribute is parameterized: OS Type: Windows / macOS / Linux / iOS / iPadOS / Android · Threshold: 1 / 3 / 10 major versions behind.

Integration & Required Scopes:

  • Google Workspace: admin.directory.device.mobile.readonly

  • Microsoft 365: DeviceManagementManagedDevices.Read.AllDevice.Read.All

  • CrowdStrike — Hosts (Read)

  • Okta — okta.devices.read

6. Phishing & Malware Alerts

These attributes capture email-borne threats detected by your identity or email security platform.

Latest Date of Phishing Attack (Last 3 Months)

Description: The most recent date a phishing attack targeting this employee was detected by your email security system.

Integration & Required Scopes:

  • Google Workspace: apps.alerts

  • Microsoft 365: SecurityAlert.Read.All

Latest Date of Malware Attack (Last 3 Months)

Description: The most recent date a malware attack targeting this employee was detected (e.g., a malicious email attachment or link).

Integration & Required Scopes:

  • Google Workspace: apps.alerts

  • Microsoft 365: SecurityAlert.Read.All

Number of Phishing Attacks (Last 3 Months)

Description: Total phishing attacks detected against this employee in the past 90 days.

Integration & Required Scopes:

  • Google Workspace: apps.alerts

  • Microsoft 365: SecurityAlert.Read.All

Number of Malware Attacks (Last 3 Months)

Description: Total malware attacks detected against this employee in the past 90 days.

Integration & Required Scopes:

  • Google Workspace: apps.alerts

  • Microsoft 365: SecurityAlert.Read.All

Number of Phishing Reports (Last 3 Months)

Description: Times this employee proactively reported a suspicious email using the built-in phishing report button (e.g., Gmail's "Report phishing" or Outlook's "Report Message"). Higher numbers indicate good security awareness.

Integration & Required Scopes:

  • Google Workspace: gmail.metadataapps.alerts

  • Microsoft 365: SecurityAlert.Read.All

Number of Potential Employee Spoofing Events (Last 3 Months)

Description: Detected attempts to impersonate this employee's identity in email — for example, someone sending emails that appear to come from this employee using a spoofed address.

Integration & Required Scopes:

  • Google Workspace: apps.alerts

  • Microsoft 365: SecurityAlert.Read.All

Number of Malicious URL Click Alerts (Last 3 Months)

Description: Times this employee clicked a URL that was subsequently classified as malicious by Microsoft Defender for Office 365.

Integration & Required Scopes:

  • Microsoft 365: SecurityAlert.Read.All

  • Google Workspace: apps.alerts

Number of Unreported Phishing or Malware Attacks (Last Year)

Description: Phishing or malware attacks that hit this employee but were never reported by them. Fable calculates this by comparing the total number of classified phishing/malware messages targeting the employee against the number of phishing reports they submitted. The difference represents attacks that went unreported.

Integration & Required Scopes:

  • Google Workspace: apps.alertsgmail.metadata

  • Microsoft 365: SecurityAlert.Read.All

Phishing Simulation Failure Rate

Description: The employee's failure rate on phishing simulations. Fable calculates this as: (failed simulations ÷ completed simulations) × 100. A "failure" means the employee clicked on a simulated phishing link without reporting it. Only employees who have completed the minimum number of simulations are evaluated. This attribute is parameterized: Lookback: 30 / 60 / 90 / 180 / 365 days · Failure Rate Threshold: 20% / 40% / 60% · Minimum Completed Simulations: 1 / 3 / 5.

Integration & Required Scopes:

  • Proofpoint SAT (ZenGuide): API token with Reporting permission

  • Fable (internal): Internal phishing simulation data

7. Endpoint Detection (CrowdStrike)

These attributes surface endpoint security incidents detected by CrowdStrike Falcon.

Number of Severe Malware Alerts (Last 90 Days)

Description: High-severity malware alerts on devices associated with this employee, as detected by CrowdStrike Falcon's endpoint protection.

Integration & Required Scopes:

  • CrowdStrike: Alerts (Read), Detections (Read), Hosts (Read)

Number of Severe Virus Alerts (Last 90 Days)

Description: High-severity virus alerts on devices associated with this employee.

Integration & Required Scopes:

  • CrowdStrike: Alerts (Read), Detections (Read), Hosts (Read)

Number of Severe Blocked Exploit Alerts (Last 90 Days)

Description: High-severity exploit attempts that were blocked on this employee's devices — for example, buffer overflow attacks or privilege escalation attempts.

Integration & Required Scopes:

  • CrowdStrike: Alerts (Read), Detections (Read), Hosts (Read)

Number of Severe Data Theft Alerts (Last 90 Days)

Description: High-severity data theft or exfiltration alerts on this employee's devices, indicating potential unauthorized data transfer.

Integration & Required Scopes:

  • CrowdStrike: Alerts (Read), Detections (Read), Hosts (Read)

Risk Factors

Description: CrowdStrike Identity Threat Protection risk factors associated with this employee. These are security risks detected on the employee's identity — such as weak passwords, stale credentials, or misconfigured account settings — as reported by CrowdStrike's identity analysis engine.

Integration & Required Scopes:

  • CrowdStrike: Identity Protection Assessment (Read), Identity Protection Entities (Read), Identity Protection GraphQL (Write*)

* CrowdStrike Identity Protection GraphQL requires Write access because the API uses HTTP POST for both queries and mutations. Fable only performs read operations.

Malware Detection Events

Description: Whether the employee's endpoints triggered malware alerts, with filtering by attack scenario. Scenarios include blocked exploits, data theft attempts, persistence establishment, known malware, malicious documents, and ransomware. This attribute is parameterized: Lookback: 7 / 30 / 90 days · Threshold: 1 / 5 / 10 events · Scenario: Any / Blocked Exploit / Data Theft / Establish Persistence / Known Malware / Malicious Document / Ransomware.

Integration & Required Scopes:

  • CrowdStrike: Alerts (Read), Detections (Read), Hosts (Read)

8. Email & Data Sharing

These attributes measure how employees interact with email and share data externally.

Forwards Inbox Externally

Description: Whether the employee has an inbox rule that automatically forwards email to an external address. Fable detects this by checking the employee's mail forwarding rules and filtering out internal forwarding (addresses matching the employee's company domain). Only forwards to addresses outside the organization are flagged.

Integration & Required Scopes:

  • Google Workspace: gmail.settings.basic

  • Microsoft 365: MailboxSettings.Read

Number of Externally Sent Emails with Attachments (Last 2 Months)

Description: Count of emails with attachments sent to recipients outside the organization in the past 2 months.

Integration & Required Scopes:

  • Microsoft 365: Mail.ReadBasic.All

Number of Unapproved Externally Sent Emails with Attachments (Last 2 Months)

Description: Count of externally sent emails with attachments where the recipient's domain is NOT on your organization's approved external domains list. The approved domain list is configured in Fable's client preferences — any external domain not on that list is considered unapproved.

Integration & Required Scopes:

  • Microsoft 365: Mail.ReadBasic.All

9. File Activity & AI Service Usage

These attributes track file downloads, sharing, transfers, and uploads to AI services.

Number of Files Downloaded (Last 3 Months)

Description: Total files the employee downloaded from Google Drive in the past 90 days.

Integration & Required Scopes:

  • Google Workspace: admin.reports.audit.readonly

Number of Documents Shared Externally (Last 2 Months)

Description: Documents the employee shared with people outside the organization via Google Drive in the past 2 months.

Integration & Required Scopes:

  • Google Workspace: admin.reports.audit.readonly

Number of File Uploads to Generative AI (Last 3 Months)

Description: Files the employee uploaded to generative AI services (ChatGPT, Claude, Gemini, etc.) detected via Chrome browser reporting. Requires Chrome activity reporting to be enabled in Google Workspace.

Integration & Required Scopes:

  • Google Workspace: admin.reports.audit.readonly (Chrome activity reporting must be enabled)

File Upload to AI Services

Description: Whether the employee uploaded files to specific generative AI services. Fable detects file uploads categorized as "Generative AI" by monitoring content transfer events. Tracked AI services include Anthropic (Claude), OpenAI (ChatGPT), and Google (Gemini). This attribute is parameterized: Lookback: 7 / 30 / 90 days · Threshold: 1 / 10 / 100 uploads · Domain: Anthropic / ChatGPT / Gemini (Google) / Any.

Integration & Required Scopes:

  • Google Workspace: admin.reports.audit.readonly (Chrome activity reporting must be enabled)

  • Netskope: /api/v2/dataexport/events/alert (Read) , /api/v2/events/data/alert (Read)

10. Browser Security

These attributes surface risky browser behavior detected through Chrome reporting.

Number of Unsafe Websites Visited (Last 3 Months)

Description: Websites flagged as unsafe (malware, phishing, social engineering) that the employee visited, as detected by Chrome Safe Browsing and reported via Chrome activity reporting.

Integration & Required Scopes:

  • Google Workspace: admin.reports.audit.readonly (Chrome activity reporting must be enabled)

Installed Browser Extensions

Description: All Chrome browser extensions currently installed by the employee, as reported through Chrome activity reporting.

Integration & Required Scopes:

  • Google Workspace: admin.reports.audit.readonly (Chrome activity reporting must be enabled)

Known Currently Installed Blocklisted Browser Extensions

Description: Chrome extensions the employee has installed that appear on a blocklist. Fable first checks for a client-specific blocklist configured by your organization; if none exists, it falls back to Fable's internal blocklist of known risky extensions. Only currently installed extensions (not previously uninstalled ones) are flagged.

Integration & Required Scopes:

  • Google Workspace: admin.reports.audit.readonly (Chrome activity reporting must be enabled)

Unsecure Browsing

Description: Whether the employee visited unsafe or malicious websites, as detected by your security platform. Events include visits to known malware distribution sites, phishing pages, and command-and-control servers. This attribute is parameterized: Lookback: 7 / 30 / 90 days · Threshold: 1 / 5 / 10 visits.

Integration & Required Scopes:

  • Netskope — /api/v2/dataexport/events/alert (Read), /api/v2/events/data/alert (Read)

11. Data Loss Prevention (DLP)

These attributes surface DLP policy violations detected by your security platform.

Number of Inadequate PII Anonymization Alerts (Last Year)

Description: DLP alerts triggered when the employee mishandled personally identifiable information. Specifically, Fable tracks alerts for U.S. Social Security Numbers found in unencrypted or unredacted form in files or messages.

Integration & Required Scopes:

  • Google Workspace: apps.alerts

  • Microsoft 365: SecurityAlert.Read.All

Number of Inadequate PHI Anonymization Alerts (Last Year)

Description: DLP alerts triggered when the employee mishandled protected health information (PHI) as defined by HIPAA. Fable detects these via alerts containing "file containing PHI detected."

Integration & Required Scopes:

  • Google Workspace: apps.alerts

  • Microsoft 365: SecurityAlert.Read.All

Number of Unencrypted Password Storage Alerts (Last Year)

Description: DLP alerts where the employee stored passwords in plain text — for example, in a spreadsheet, document, or email.

Integration & Required Scopes:

  • Google Workspace: apps.alerts

  • Microsoft 365: SecurityAlert.Read.All

DLP Alerts

Description: Whether the employee triggered Data Loss Prevention alerts of any type. This attribute is parameterized: Lookback: 7 / 30 / 90 days · Threshold: 1 / 5 / 10 alerts.

Integration & Required Scopes:

  • Google Workspace: apps.alerts

  • Microsoft 365: SecurityAlert.Read.All

  • Netskope — /api/v2/dataexport/events/alert (Read), /api/v2/events/data/alert (Read)

12. Application Access & Usage

These attributes describe which applications employees use and have access to, primarily sourced from Okta SSO logs.

Apps Used in Last 3 Months

Description: Applications the employee actively logged into via SSO in the past 90 days, based on Okta authentication logs.

Integration & Required Scopes:

  • Okta: okta.logs.read

Unused Assigned Apps in Last 3 Months

Description: Applications assigned to the employee in Okta that they have not used in the past 90 days. This helps identify over-provisioned access that could be reduced.

Integration & Required Scopes:

  • Okta: okta.appAssignments.readokta.apps.read

Crown Jewel Application Access

Description: Whether the employee accessed critical business applications ("crown jewels") via SSO. Crown jewel apps are high-value platforms that contain sensitive data or infrastructure access. This attribute is parameterized: App: Any / AWS / Azure / Databricks / GCP / Oracle / SAP / Snowflake / Workday.

Integration & Required Scopes:

  • Okta: okta.logs.read

13. Data Breach Exposure

These attributes detect whether employee credentials or personal data have appeared in known data breaches, sourced from Have I Been Pwned (HIBP). HIBP is managed by Fable — no customer scopes are required.

Latest Date of Password Exposure

Description: The most recent breach in which the employee's work email password was exposed.

Integration & Required Scopes:

  • HIBP (Have I Been Pwned): Managed by Fable — no customer scopes required

Latest Date of Email Exposure

Description: The most recent breach in which the employee's work email address appeared.

Integration & Required Scopes:

  • HIBP: Managed by Fable — no customer scopes required

Latest Date of Phone Exposure

Description: The most recent breach in which the employee's phone number was exposed.

Integration & Required Scopes:

  • HIBP: Managed by Fable — no customer scopes required

Latest Date of Recovery Email Exposure

Description: The most recent breach in which the employee's recovery email appeared.

Integration & Required Scopes:

  • HIBP: Managed by Fable — no customer scopes required

Latest Date of Recovery Email Password Exposure

Description: The most recent breach in which the password for the employee's recovery email was exposed.

Integration & Required Scopes:

  • HIBP: Managed by Fable — no customer scopes required

Recovery Email Addresses with Password Exposure (Last 6 Months)

Description: Recovery email addresses associated with the employee that had passwords exposed in breaches in the last 6 months.

Integration & Required Scopes:

  • HIBP: Managed by Fable — no customer scopes required

Data Breach Exposure

Description: Whether the employee's credentials or personal data appeared in data breaches, with granular category filtering. Breach categories include: Credentials (usernames/passwords), Demographics (age, gender), Financial (credit cards, bank accounts), Identity (SSN, passport numbers), Personal Contact (addresses, phone numbers), Professional (employer, job title), and Sensitive Personal (health records, political views). This attribute is parameterized: Lookback: 90 / 180 / 365 days · Threshold: 1 / 5 / 10 breaches · Category: Any / Credentials / Demographics / Financial / Identity / Other / Personal Contact / Professional / Sensitive Personal.

Integration & Required Scopes:

  • HIBP: Managed by Fable — no customer scopes required

14. Proofpoint Email Threat Signals

These attributes incorporate email security intelligence from Proofpoint TAP and Proofpoint SAT (ZenGuide).

Proofpoint Top Clicker

Description: Whether the employee is classified by Proofpoint as a top clicker — someone who frequently clicks malicious links in email, indicating a higher susceptibility to email-borne attacks.

Integration & Required Scopes:

  • Proofpoint TAP: Service Principal credentials (Read access to /v2/people/top-clickers)

Proofpoint Top Clicker (Parameterized)

Description: Detects employees who frequently click malicious links, with configurable thresholds for click count and type. Click types can be filtered to only blocked clicks, only permitted clicks, or any clicks. This attribute is parameterized: Lookback: 7 / 30 / 90 days · Threshold: 1 / 5 / 25 clicks · Click Type: Any / Blocked / Permitted.

Integration & Required Scopes:

  • Proofpoint TAP: Service Principal credentials (Read access to /v2/people/top-clickers/v2/siem/clicks/blocked)

15. Fable Platform Signals

These attributes are generated internally by the Fable platform based on employee engagement with Fable's security training and awareness programs.

Employee Fable Reactivated At

Description: The date the employee was reactivated on the Fable platform after a period of inactivity (e.g., after returning from leave or being re-onboarded).

Integration & Required Scopes:

  • Fable (internal): No customer scopes required

Briefing Incomplete Rate

Description: Whether the employee is not completing their assigned Fable security briefings. Fable calculates this as: (incomplete briefings ÷ delivered briefings) × 100. A briefing is considered incomplete if its status is anything other than "Completed" or "Skipped." Only employees who have received the minimum number of briefings are evaluated. This attribute is parameterized: Lookback: 30 / 60 / 90 days · Incomplete Rate Threshold: 20% / 40% / 60% · Minimum Delivered: 1 / 3 / 5 briefings.

Integration & Required Scopes:

  • Fable (internal): No customer scopes required

Compliance Training Overdue

Description: Whether the employee has overdue compliance training assignments. Fable checks each assigned course's due date against today's date — any course where the due date has passed and the completion status is not "Completed" is counted as overdue. This attribute is parameterized: Threshold: 1 / 3 / 5 days overdue · Course Status: Active / Any.

Integration & Required Scopes:

  • Fable (internal): Internal course data

  • Proofpoint SAT (ZenGuide): API token with Reporting permission (for external training data)

17. Integration Quick Reference

The table below summarizes which integrations supply data for each attribute category.

Category

Google Workspace

Microsoft 365

Okta

CrowdStrike

HIBP

Proofpoint TAP

Proofpoint SAT

Netskope

Workday

BambooHR

On-Prem Directory

Fable

Directory & Identity

MFA & Authentication

Password Security

Login Behavior

Device Posture

Phishing & Malware

Endpoint Detection

Email & Data Sharing

File Activity & AI Usage

Browser Security

DLP

App Access & Usage

Breach Exposure

Email Threat Signals

Cloud/Web Security

Fable Platform Signals

18. Delivery Integrations

The following integrations are used exclusively for delivering security briefings and training content to employees. They do not contribute employee attributes to the Risk Engine.

Slack (Admin)

Description: Deliver security briefings to employees via the Fable Slack app.

Required Scopes:

  • Workspace identity, send messages as @fable_security

Slack (User Account)

Description: Deliver security briefings via a dedicated Fable user account for higher engagement.

Required Scopes:

  • Send messages on behalf of the Fable user account

Microsoft Teams

Description: Deliver security briefings to employees via the Fable Teams app.

Required Scopes:

  • AppCatalog.ReadWrite.All (delegate), User.Read.All (application)

Google Chat

Description: Deliver security briefings to employees via Google Chat DMs.

Required Scopes:

  • chat.spaces