Is there a benefit to using both GSuite.Reports and GSuite.ActivityEvent? Are they duplicates of each other?
New detections should be written for GSuite.ActivityEvent.
The primary difference is that GSuite.ActivityEvent is an ‘unwrapped’ log type, where each event is a single event in Panther. GSuite.Reports is the raw way that G Suite sends these events; it wraps multiple events in 1 payload, and that can be found in the events field, which is an array of each individual event.
The data is indeed the same for both schemas, but for the logs between the two schemas, there is not a 1-1 match in the database. This is because of how each schema stores its data, as described in the previous paragraph. This means that the schema GSuite.Reports might have a slightly smaller amount of logs in the database, but that happens because the data in that schema is stored in a more "compact" format (multiple events are wrapped in 1 payload) compared to GSuite.ActivityEvent, where each event is a single event in Panther.
While Panther currently parses data from Google Workspace integrations into both log types, this repetition does not count towards your ingestion quota. It's worth noting that we don't report metrics in the log source chart for Gsuite.ActivityEvent, and this decision has been made for cost and operational considerations, but the data is still present in the database.
Learn more in the Google Workspace documentation.