When trying to find information from our Google admin logs in Panther, I only see records of the admin#reports#activity type. I would like to see the Google Login activity and Google Drive activity. How can I check which Google Workspace application types I’m receiving?
To do this, run the following SQL query to retrieve a list of application types:
SELECT id:applicationName, max(p_event_time)
FROM panther_logs.public.gsuite_activityevent
WHERE p_occurs_since(12w)
GROUP BY id:applicationLogWhen looking at the Source Configuration in the Panther Console, the field Applications contains all the types of the Google Workspace logs that you are getting (access_transparency, admin, login, calendar, etc).
Panther pulls data from Google's Reports Activities API which includes admin activity, login activity, token activity, Google Drive activity, and more. This data gets mapped to both the GSuite.ActivityEvent and GSuite.Reports log types.