What is the difference between the Panther log types GSuite.Reports and GSuite.ActivityEvent?
Is there a benefit to using both
GSuite.ActivityEvent? Are they duplicates of each other?
All new detections should be written for
The primary difference is that
GSuite.ActivityEvent is an ‘unwrapped’ log type, where each event is a single event in Panther.
GSuite.Reports is the raw way that G Suite sends these events; it wraps multiple events in 1 payload, and that can be found in the
events field which is an array of each individual event.
Not all detections have been ported over to the new log type but will be in the longer term.
While Panther currently parses data from G Suite integrations into both log types, this repetition does not count towards your ingestion quota.