Is there a benefit to using both GSuite.Reports
and GSuite.ActivityEvent
? Are they duplicates of each other?
All new detections should be written for GSuite.ActivityEvent
.
The primary difference is that GSuite.ActivityEvent
is an ‘unwrapped’ log type, where each event is a single event in Panther. GSuite.Reports
is the raw way that G Suite sends these events; it wraps multiple events in 1 payload, and that can be found in the events
field which is an array of each individual event.
Not all detections have been ported over to the new log type but will be in the longer term.
While Panther currently parses data from G Suite integrations into both log types, this repetition does not count towards your ingestion quota.