Employee Attribute Library

This document catalogs every employee attribute that Fable Security computes, including the integration source, required API scopes, and a description of what each attribute represents.

1. Directory & Identity

Groups Member Of

Description: Lists all directory groups an employee belongs to, used for access-based cohort building and risk segmentation.

• Google Workspace — admin.directory.group.readonly, admin.directory.group.member.readonly

• Microsoft 365 — Group.Read.All, GroupMember.Read.All

• On-Prem Directory — On-Prem Directory CSV upload (no OAuth scopes)

Employee Department

Description: The employee's department as recorded in the identity provider directory (e.g., "Engineering", "Sales", "Finance").

• Google Workspace — admin.directory.user.readonly, admin.directory.orgunit.readonly

• Microsoft 365 — Directory.Read.All, User.Read.All

• Okta — okta.users.read

• Workday — Organizations & Roles, System

• BambooHR — Job Information (View Only)

• On-Prem Directory — On-Prem Directory CSV upload (no OAuth scopes)

Employment Status

Description: Classifies whether an employee is Full-Time, Contractor, or Consultant based on job title keywords in the directory.

• Google Workspace — admin.directory.user.readonly

• Microsoft 365 — Directory.Read.All, User.Read.All

• Okta — okta.users.read

• Workday — Staffing, System

• BambooHR — Employment Status (View Only)

• On-Prem Directory — On-Prem Directory CSV upload (no OAuth scopes)

Is VIP

Description: Identifies whether an employee holds a senior leadership position. Checks for C-level titles first, then pattern-matches for "Chief", "Director", "VP", "Head of", and similar titles.

• Google Workspace — admin.directory.user.readonly

• Microsoft 365 — Directory.Read.All, User.Read.All

• Okta — okta.users.read

• Workday — Jobs & Positions, System

• BambooHR — Job Information (View Only)

• On-Prem Directory — On-Prem Directory CSV upload (no OAuth scopes)

Is C-Level Executive

Description: Identifies employees with C-suite titles (CEO, CTO, CFO, CISO, CIO, COO, etc.) based on job title matching.

• Google Workspace — admin.directory.user.readonly

• Microsoft 365 — Directory.Read.All, User.Read.All

• Okta — okta.users.read

• Workday — Jobs & Positions, System

• BambooHR — Job Information (View Only)

• On-Prem Directory — On-Prem Directory CSV upload (no OAuth scopes)

Employee Start Date

Description: The date the employee started at the organization, sourced from the HR or identity provider directory.

• Google Workspace — admin.directory.user.readonly

• Microsoft 365 — Directory.Read.All, User.Read.All

• Okta — okta.users.read

• Workday — Staffing, System

• BambooHR — Hire Date (View Only)

• On-Prem Directory — On-Prem Directory CSV upload (no OAuth scopes)

Has IT Admin Access

Description: Indicates whether the employee has been assigned an IT administrator role in the identity provider. Checks for admin or delegated admin flags in the directory record.

• Google Workspace — admin.directory.user.readonly, admin.directory.rolemanagement.readonly

Employee Role Responsibilities

Description: A summary of the employee's role and associated responsibilities, derived from directory profile data.

• Google Workspace — admin.directory.user.readonly

• Microsoft 365 — Directory.Read.All, User.Read.All

• Okta — okta.users.read

• Workday — Worker Profile and Skills, System

• BambooHR — Job Information (View Only)

• On-Prem Directory — On-Prem Directory CSV upload (no OAuth scopes)

Work Location City

Description: The city where the employee is primarily located, as recorded in their directory profile.

• Google Workspace — admin.directory.user.readonly

• Microsoft 365 — Directory.Read.All, User.Read.All

• Workday — Organizations & Roles, System

Work Location Country

Description: The country where the employee is primarily located.

• Google Workspace — admin.directory.user.readonly

• Microsoft 365 — Directory.Read.All, User.Read.All

• Workday — Organizations & Roles, System

Work Location Country Region

Description: The state or region within the employee's country of work.

• Google Workspace — admin.directory.user.readonly

• Microsoft 365 — Directory.Read.All, User.Read.All

• Workday — Organizations & Roles, System

Business Entity

Description: The business entity or subsidiary the employee belongs to within the organization.

• Google Workspace — admin.directory.user.readonly, admin.directory.orgunit.readonly

• Microsoft 365 — Directory.Read.All, User.Read.All

• Workday — Organizations & Roles, System

2. Employment & Role Information

Is Current Employee

Description: Whether the employee is currently active in the organization's directory.

• Google Workspace — admin.directory.user.readonly

• Microsoft 365 — Directory.Read.All, User.Read.All

• Okta — okta.users.read

• Workday — Staffing, System

• BambooHR — Basic Info: Status (View Only)

• On-Prem Directory — On-Prem Directory CSV upload (no OAuth scopes)

Employee Type

Description: The type of worker (e.g., Employee, Contractor, Intern) as recorded in the identity provider.

• Google Workspace — admin.directory.user.readonly

• Microsoft 365 — Directory.Read.All, User.Read.All

• Okta — okta.users.read

• Workday — Staffing, System

• BambooHR — Employment Status (View Only)

Employee Job Title

Description: The employee's job title as recorded in the identity provider directory.

• Google Workspace — admin.directory.user.readonly

• Microsoft 365 — Directory.Read.All, User.Read.All

• Okta — okta.users.read

• Workday — Jobs & Positions, System

• BambooHR — Job Information (View Only)

• On-Prem Directory — On-Prem Directory CSV upload (no OAuth scopes)

Employee Organization

Description: The organizational unit or division the employee belongs to.

• Google Workspace — admin.directory.user.readonly, admin.directory.orgunit.readonly

• Microsoft 365 — Directory.Read.All, User.Read.All

• Okta — okta.users.read

• Workday — Organizations & Roles, System

• BambooHR — Job Information: Department (View Only)

Manager Email

Description: The email address of the employee's direct manager, used for org hierarchy mapping.

• Google Workspace — admin.directory.user.readonly

• Microsoft 365 — Directory.Read.All, User.Read.All

• Okta — okta.users.read

• Workday — Organizations & Roles, System

• BambooHR — Job Information: Reporting to (View Only)

Chain of Command Emails

Description: The list of email addresses in the employee's management chain, from their direct manager up through the org hierarchy.

• Google Workspace — admin.directory.user.readonly

• Microsoft 365 — Directory.Read.All, User.Read.All

• Okta — okta.users.read

• Workday — Organizations & Roles, System

Employee Fable Reactivated At

Description: The date when a previously deactivated employee was reactivated in the Fable platform.

• Fable — Internal platform data (no external scopes)

3. MFA & Authentication

MFA Types

Description: The types of multi-factor authentication methods enrolled for the employee (e.g., TOTP, push notification, hardware key).

• Okta — okta.factors.read

• Google Workspace — admin.directory.user.readonly

• Microsoft 365 — UserAuthenticationMethod.Read.All

Google MFA Types Used to Login

Description: The specific MFA types the employee has used for Google Workspace logins in the last 3 months.

• Google Workspace — admin.directory.user.readonly

Apps with MFA Enabled

Description: Lists which applications the employee has MFA enabled for, based on authentication factor enrollment.

• Okta — okta.factors.read

• Google Workspace — admin.directory.user.readonly

• Microsoft 365 — UserAuthenticationMethod.Read.All

Apps with MFA Not Enforced

Description: Applications where MFA is available but not enforced for the employee, representing a potential security gap.

• Okta — okta.factors.read

• Google Workspace — admin.directory.user.readonly

• Microsoft 365 — UserAuthenticationMethod.Read.All

Apps with Weak MFA Usage

Description: Applications where the employee is using non-phishing-resistant MFA methods (e.g., SMS, email OTP, or TOTP) instead of stronger methods like hardware keys or WebAuthn.

• Okta — okta.factors.read, okta.logs.read

Latest Date of Okta Password Change

Description: The most recent date the employee changed their Okta password.

• Okta — okta.users.read

4. Password Security

Has Weak Password (Google)

Description: Indicates whether the employee has a weak password in Google Workspace, based on Google's password strength assessment.

• Google Workspace — admin.reports.usage.readonly

Has Non-Compliant Password (Google)

Description: Indicates whether the employee's Google Workspace password does not meet the organization's password policy requirements.

• Google Workspace — admin.reports.usage.readonly

Has Reused Password

Description: Indicates whether the employee has reused a password across multiple sites, detected via Chrome browser activity reporting.

• Google Workspace — admin.reports.usage.readonly (Chrome browser reporting must be enabled)

Has Compromised Password

Description: Indicates whether the employee has a compromised password detected through CrowdStrike Identity Protection risk factor analysis.

• CrowdStrike — Hosts (Read), Identity Protection Assessment (Read), Identity Protection Entities (Read), Identity Protection GraphQL (Write)

Risk Factors

Description: CrowdStrike Identity Protection risk factors associated with the employee, including credential exposure, password hygiene, and identity-based threats.

• CrowdStrike — Hosts (Read), Identity Protection Assessment (Read), Identity Protection Entities (Read), Identity Protection GraphQL (Write)

5. Device Security & Posture

Device OS

Description: The operating system(s) of all devices registered to the employee.

• Google Workspace — admin.directory.device.mobile.readonly

• Microsoft 365 — Device.Read.All, DeviceManagementManagedDevices.Read.All

Active Device OS

Description: The operating system(s) of devices the employee has actively used recently.

• Google Workspace — admin.directory.device.mobile.readonly

• Microsoft 365 — Device.Read.All, DeviceManagementManagedDevices.Read.All

Device Security Patch Level

Description: The security patch level of the employee's devices, indicating how up-to-date their devices are.

• Google Workspace — admin.directory.device.mobile.readonly

• Microsoft 365 — Device.Read.All, DeviceManagementManagedDevices.Read.All

Number of Devices Without Password

Description: Count of the employee's registered devices that do not have a password or passcode set.

• Google Workspace — admin.directory.device.mobile.readonly

• Microsoft 365 — Device.Read.All, DeviceManagementManagedDevices.Read.All

Number of Compromised Devices

Description: Count of the employee's devices that have been detected as compromised (jailbroken, rooted, or infected).

• Google Workspace — admin.directory.device.mobile.readonly

• Microsoft 365 — Device.Read.All, DeviceManagementManagedDevices.Read.All

Number of Unencrypted Devices

Description: Count of the employee's devices that do not have disk encryption enabled.

• Google Workspace — admin.directory.device.mobile.readonly

• Microsoft 365 — Device.Read.All, DeviceManagementManagedDevices.Read.All

Number of Unmanaged Devices

Description: Count of devices associated with the employee that are not enrolled in the organization's device management system.

• Google Workspace — admin.directory.device.mobile.readonly

• Microsoft 365 — Device.Read.All, DeviceManagementManagedDevices.Read.All

Number of Non-Compliant Devices

Description: Count of the employee's devices that fail to meet the organization's device compliance policies.

• Google Workspace — admin.directory.device.mobile.readonly

• Microsoft 365 — Device.Read.All, DeviceManagementConfiguration.Read.All, DeviceManagementManagedDevices.Read.All

Number of Devices

Description: Total count of devices registered to the employee, used to identify employees with an unusually large device footprint.

• Google Workspace — admin.directory.device.mobile.readonly

• Microsoft 365 — Device.Read.All, DeviceManagementManagedDevices.Read.All

6. Login Activity & Access Patterns

Has Suspicious Login

Description: Indicates whether the employee has had a login flagged as suspicious (e.g., impossible travel, anonymous IP, leaked credentials) in the last 3 months.

• Google Workspace — admin.reports.audit.readonly

• Microsoft 365 — AuditLog.Read.All, IdentityRiskEvent.Read.All

Last Login Date

Description: The most recent date the employee logged into any monitored workspace application.

• Google Workspace — admin.reports.audit.readonly

• Microsoft 365 — AuditLog.Read.All

Number of IP Addresses Used

Description: Count of distinct IP addresses the employee has logged in from in the last 3 months.

• Google Workspace — admin.reports.audit.readonly

• Microsoft 365 — AuditLog.Read.All

Number of Cities Logged In From

Description: Count of distinct cities the employee has logged in from in the last 3 months, used to detect unusual travel patterns.

• Google Workspace — admin.reports.audit.readonly

• Microsoft 365 — AuditLog.Read.All

Has Login Outside USA

Description: Indicates whether the employee has logged in from outside the United States in the last 3 months.

• Google Workspace — admin.reports.audit.readonly

• Microsoft 365 — AuditLog.Read.All

Login from At-Risk Countries

Description: Detects logins from a predefined list of high-risk countries (China, Netherlands, Nigeria, North Korea, Iran, Russia) in the last 3 months.

• Google Workspace — admin.reports.audit.readonly

• Microsoft 365 — AuditLog.Read.All

7. Email & Communication Security

Forwards Inbox Externally

Description: Indicates whether the employee has an email forwarding rule configured to send mail to an external address, which can be a data exfiltration risk.

• Google Workspace — gmail.settings.basic

• Microsoft 365 — MailboxSettings.Read

Number of Externally Sent Emails with Attachments

Description: Count of emails with attachments sent to external recipients in the last 2 months.

• Microsoft 365 — Mail.ReadBasic.All

Number of Unapproved Externally Sent Emails with Attachments

Description: Count of emails with attachments sent to unapproved external domains in the last 2 months.

• Microsoft 365 — Mail.ReadBasic.All

8. Phishing & Malware Detection

Latest Date of Phishing Attack

Description: The most recent date a phishing email targeting this employee was detected, within the last 3 months.

• Google Workspace — apps.alerts

• Microsoft 365 — SecurityAlert.Read.All

Latest Date of Malware Attack

Description: The most recent date a malware-bearing email targeting this employee was detected, within the last 3 months.

• Google Workspace — apps.alerts

• Microsoft 365 — SecurityAlert.Read.All

Number of Phishing Reports

Description: Count of phishing emails reported by or targeting this employee in the last 3 months.

• Google Workspace — gmail.metadata

Number of Malware Attacks

Description: Count of malware incidents associated with this employee in the last 3 months.

• Google Workspace — apps.alerts

• Microsoft 365 — SecurityAlert.Read.All

Number of Phishing Attacks

Description: Total count of classified phishing attempts targeting this employee in the last 3 months.

• Google Workspace — apps.alerts

• Microsoft 365 — SecurityAlert.Read.All

Number of Potential Employee Spoofing Attempts

Description: Count of emails detected as potential spoofing of this employee's identity in the last 3 months.

• Google Workspace — apps.alerts

• Microsoft 365 — SecurityAlert.Read.All

Number of Malicious URL Click Alerts

Description: Count of alerts generated when this employee clicked on a malicious URL in the last 3 months.

• Microsoft 365 — SecurityAlert.Read.All

Number of Unreported Phishing or Malware Attacks

Description: Count of phishing or malware attacks targeting the employee in the last year that were not reported by the employee. Helps identify employees who may need additional security awareness training on recognizing and reporting threats.

• Proofpoint TAP — /v2/siem/messages/blocked, /v2/siem/issues

• Fable — Internal platform data (no external scopes)

9. Browser Security

Installed Browser Extensions

Description: List of all browser extensions currently installed by the employee, detected via Chrome browser reporting.

• Google Workspace — admin.reports.usage.readonly (Chrome browser reporting must be enabled)

Known Currently Installed Blocklisted Browser Extensions

Description: Browser extensions installed by the employee that appear on the organization's blocklist or Fable's internal blocklist. Checks client-specific blocklist first, then falls back to Fable's curated blocklist.

• Google Workspace — admin.reports.usage.readonly (Chrome browser reporting must be enabled)

Number of Unsafe Websites Visited

Description: Count of unsafe or potentially malicious websites the employee has visited in the last 3 months, detected via Chrome browser reporting.

• Google Workspace — admin.reports.usage.readonly (Chrome browser reporting must be enabled)

10. Data Loss Prevention

Number of Inadequate PII Anonymization Alerts

Description: Count of alerts where the employee was involved in inadequate anonymization of Personally Identifiable Information (PII) in the last year.

• Google Workspace — apps.alerts

• Microsoft 365 — SecurityAlert.Read.All

Number of Unencrypted Password Storage Alerts

Description: Count of alerts where the employee stored passwords in unencrypted form in the last year.

• Google Workspace — apps.alerts

• Microsoft 365 — SecurityAlert.Read.All

Number of Inadequate PHI Anonymization Alerts

Description: Count of alerts where the employee was involved in inadequate anonymization of Protected Health Information (PHI) in the last year.

• Google Workspace — apps.alerts

• Microsoft 365 — SecurityAlert.Read.All

11. Application Access & Usage

Apps Used in Last 3 Months

Description: List of applications the employee has accessed via SSO in the last 3 months.

• Okta — okta.apps.read, okta.logs.read

Unused Assigned Apps in Last 3 Months

Description: Applications assigned to the employee that they have not accessed in the last 3 months, representing potential access that could be revoked.

• Okta — okta.apps.read, okta.appAssignments.read, okta.logs.read

12. Data Breach Exposure (HIBP)

Latest Date of Password Exposure

Description: The most recent date the employee's password was found in a known data breach, sourced from Have I Been Pwned.

• HIBP — Managed by Fable (no customer scopes required)

Latest Date of Email Exposure

Description: The most recent date the employee's email address was found in a known data breach.

• HIBP — Managed by Fable (no customer scopes required)

Latest Date of Phone Exposure

Description: The most recent date the employee's phone number was found in a known data breach.

• HIBP — Managed by Fable (no customer scopes required)

Latest Date of Recovery Email Exposure

Description: The most recent date the employee's recovery email address was found in a known data breach.

• HIBP — Managed by Fable (no customer scopes required)

Latest Date of Recovery Email Password Exposure

Description: The most recent date the password associated with the employee's recovery email was found in a known data breach.

• HIBP — Managed by Fable (no customer scopes required)

Addresses of Recovery Email Password Exposure

Description: The recovery email addresses whose associated passwords were found in data breaches in the last 6 months.

• HIBP — Managed by Fable (no customer scopes required)

13. File Activity & Data Sharing

Number of Files Downloaded

Description: Count of files the employee has downloaded in the last 3 months, detected via Google Drive activity reporting.

• Google Workspace — admin.reports.audit.readonly

Number of Documents Shared Externally

Description: Count of documents the employee has shared with external recipients in the last 2 months.

• Google Workspace — admin.reports.audit.readonly

Number of File Uploads to Generative AI

Description: Count of files the employee has uploaded to generative AI services (e.g., ChatGPT, Bard) in the last 3 months, detected via Chrome browser reporting or Netskope CASB.

• Google Workspace — admin.reports.usage.readonly (Chrome browser reporting must be enabled)

Latest Date of Activity

Description: The most recent date the employee performed any tracked activity in Google Workspace.

• Google Workspace — admin.reports.usage.readonly

14. Recovery Email

Has Google Recovery Email

Description: Indicates whether the employee has a recovery email address configured for their Google Workspace account.

• Google Workspace — admin.directory.user.readonly

Google Recovery Email

Description: The recovery email address configured for the employee's Google Workspace account.

• Google Workspace — admin.directory.user.readonly

Okta Recovery Email

Description: The recovery email address configured for the employee's Okta account.

• Okta — okta.users.read

15. CrowdStrike Endpoint Security

Number of Severe Malware Alerts (Last 90 Days)

Description: Count of high-severity malware alerts associated with the employee's endpoints in the last 90 days.

• CrowdStrike — Alerts (Read), Detections (Read), Hosts (Read)

Number of Severe Virus Alerts (Last 90 Days)

Description: Count of high-severity virus alerts associated with the employee's endpoints in the last 90 days.

• CrowdStrike — Alerts (Read), Detections (Read), Hosts (Read)

Number of Severe Blocked Exploit Alerts (Last 90 Days)

Description: Count of high-severity blocked exploit alerts associated with the employee's endpoints in the last 90 days.

• CrowdStrike — Alerts (Read), Detections (Read), Hosts (Read)

Number of Severe Data Theft Alerts (Last 90 Days)

Description: Count of high-severity data theft alerts associated with the employee's endpoints in the last 90 days.

• CrowdStrike — Alerts (Read), Detections (Read), Hosts (Read)

16. Stale Reports

Stale Reports

Description: Identifies employees whose directory records have not been updated recently, indicating potentially stale or orphaned accounts.

• On-Prem Directory — On-Prem Directory CSV upload (no OAuth scopes)

17. Behavioral Attributes (Parameterized)

The following attributes are parameterized — they are generated with configurable lookback periods, thresholds, and filters. Each configuration produces multiple attribute variants.

OFAC Country Login Events

Description: Detects employee logins from OFAC-sanctioned countries. Parameterized by lookback period (e.g., 7, 30, 90 days) and event count threshold.

• Google Workspace — admin.reports.audit.readonly

• Microsoft 365 — AuditLog.Read.All

• Okta — okta.logs.read

MFA Not Enabled (Main Workspace)

Description: Identifies employees who do not have MFA enabled for their primary workspace application. Parameterized by lookback period.

• Google Workspace — admin.directory.user.readonly

• Microsoft 365 — UserAuthenticationMethod.Read.All

Multiple Country Login Events

Description: Detects employees logging in from multiple countries within a configurable time window, which may indicate credential compromise or impossible travel. Parameterized by lookback period (1, 7, 30 days), country count threshold (3, 5, 10), and result filter (any, failure, success).

• Google Workspace — admin.reports.audit.readonly

• Microsoft 365 — AuditLog.Read.All

• Okta — okta.logs.read

OS Version Current

Description: Checks whether the employee's device operating system is at or above a required version. Parameterized by OS type (Windows, macOS, iOS, iPadOS, Android, Linux) and minimum version threshold.

• Google Workspace — admin.directory.device.mobile.readonly

• Microsoft 365 — Device.Read.All, DeviceManagementManagedDevices.Read.All

• CrowdStrike — Hosts (Read)

• Okta — okta.devices.read

Crown Jewel App Access

Description: Identifies employees with access to critical business applications. Parameterized by application category: Any, AWS, Azure, Databricks, GCP, Oracle, SAP, Snowflake, or Workday.

• Okta — okta.apps.read, okta.appAssignments.read, okta.logs.read

• Google Workspace — admin.reports.audit.readonly

Application Access

Description: Tracks employee access to business applications across identity providers. Similar to Crown Jewel App Access but sourced from both Okta app assignments and Google Workspace SSO/OAuth activity. Parameterized by application category: Any, AWS, Azure, Databricks, GCP, Oracle, SAP, Snowflake, or Workday.

• Okta — okta.apps.read, okta.appAssignments.read

• Google Workspace — admin.reports.audit.readonly

Data Breach

Description: Flags employees whose credentials have appeared in data breaches. Parameterized by lookback period (90, 180, 365 days), event count threshold, and breach category (any, credentials, demographics, financial, identity, other, personal contact, professional, or sensitive personal).

• HIBP — Managed by Fable (no customer scopes required)

Malware Detection Events

Description: Tracks malware detection events associated with an employee's endpoints. Parameterized by lookback period, event count threshold, and malware scenario (any, blocked exploit, data theft, establish persistence, known malware, malicious document, or ransomware).

• CrowdStrike — Alerts (Read), Detections (Read), Hosts (Read)

File Upload to AI Services

Description: Tracks file uploads to generative AI services. Parameterized by lookback period, upload count threshold, and target domain (Anthropic, ChatGPT, Google Gemini, or any).

• Google Workspace — admin.reports.usage.readonly (Chrome browser reporting must be enabled)

Proofpoint Top Clicker

Description: Identifies employees flagged as top clickers in Proofpoint TAP, meaning they frequently click on malicious or suspicious links. Parameterized by click type (any, blocked, permitted) and lookback period.

• Proofpoint TAP — /v2/people/top-clickers, /v2/people/vap, /v2/siem/clicks/blocked

Unsecure Browsing

Description: Tracks unsafe browsing behavior detected via Netskope SWG. Parameterized by lookback period and event count threshold.

• Netskope — /api/v2/dataexport/events/alert (Read), /api/v2/events/data/alert (Read)

DLP Alert

Description: Tracks Data Loss Prevention alerts associated with the employee. Parameterized by lookback period and alert count threshold.

• Netskope — /api/v2/dataexport/events/alert (Read), /api/v2/events/data/alert (Read)

• Google Workspace — apps.alerts

Phishing Simulation Failure Rate

Description: The employee's failure rate on phishing simulations, calculated as (failed ÷ completed) × 100. Only computed for employees above a minimum simulation count. Parameterized by lookback period (30, 60, 90, 180, 365 days), failure rate threshold (20%, 40%, 60%), and minimum completed simulations (1, 2, 3, 5).

• Fable — Internal platform data (no external scopes)

• Proofpoint SAT (ZenGuide) — /api/reporting/v0.3.0/phishing_extended (Reporting permission)

Phishing Simulation Reporting Rate

Description: The employee's reporting rate on phishing simulations, calculated as (reported / completed) x 100. Only computed for employees above a minimum simulation count. Parameterized by lookback period (30, 60, 90, 180, 365 days), reporting rate threshold (20%, 40%, 60%), and minimum completed simulations (1, 2, 3, 5).

• Fable — Internal platform data (no external scopes)

• Proofpoint SAT (ZenGuide) — /api/reporting/v0.3.0/phishing_extended (Reporting permission)

Briefing Incomplete

Description: Tracks the rate of incomplete Fable security briefings for the employee, calculated as (incomplete ÷ delivered) × 100. Excludes "Completed" and "Skipped" statuses. Parameterized by lookback period (30, 60, 90 days), incomplete rate threshold (20%, 40%, 60%), and minimum delivered briefings (1, 3, 5).

• Fable — Internal platform data (no external scopes)

Compliance Training Overdue

Description: Identifies employees who have overdue compliance training assignments. Parameterized by overdue count threshold (1, 3, 5) and course status filter (Active or Any).

• Fable — Internal platform data (no external scopes)

• Proofpoint SAT (ZenGuide) — /api/reporting/v0.3.0/trainingenrollments (Reporting permission)

Malicious Message Detection Events

Description: Tracks malicious message (email, chat) detection events associated with the employee. Parameterized by lookback period and event count threshold.

• Proofpoint TAP — /v2/siem/messages/blocked, /v2/siem/issues

Password Risk

Description: Identifies employees with password-related risks, including cracked, reused, or shared passwords, detected through password audit analysis. Parameterized by lookback period (30, 60, 90, 180 days) and risk type (cracked, reused, shared, or any).

• Password Audit Service — Internal password risk assessment integration (customer-specific configuration required)

Integration Quick Reference

Delivery-Only Integrations

The following integrations are used exclusively for delivering security briefings and training content to employees. They do not contribute employee attributes.

Slack (Admin + User Account)

Used to deliver video briefings and nudge messages directly to employees via Slack DM.

Microsoft Teams

Used to deliver video briefings directly to employees via Teams chat.

Google Chat

Used to deliver video briefings directly to employees via Google Chat DM.