Panther has the ability to fetch events by querying the G Suite Reports API. Panther will query the G Suite Reports API for new events every 1' minute.
In order for Panther to access the API you need to create a new 'G Suite App' and provide the app credentials to Panther.
Go to Google API Console
Click Create Project
Enter a project name e.g.
Panther Integration. Make sure that the organization you want to monitor is selected under Organization. Click on Create
It will take a few seconds to create the project. Once created, you will get an on-screen notification.
Go again to Google API Console. Select the project you just created
Click on OAuth consent screen
Select Internal as User Type and click on Create
In the next page fill the following information
Populate the App Name field with a value, e.g.
Populate User support email with your email
Populate Email addresses near the bottom of the page with your email address
Click on Save And Continue
Click on Add Or Remove Scopes
In the Manually add scopes section, paste
https://www.googleapis.com/auth/admin.reports.audit.readonly. Click on Add to Table and Update.
Click on Save and Continue
Click Back to Dashboard
You will be navigated back to the dashboard of your new application. Click Dashboard
Click on Enable APIs and Services
In the search bar type
Admin SDK API
Click on Admin SDK API, then click Enable
You will be navigated to another screen. Once this happens, just go to Google API Console again and select your project like you did in Step #5
Click on Create Credentials
Click on OAuth client ID
In the new screen select as Application Type Desktop App and type in a friendly name e.g.
Click on Create
A pop up screen will display the Client ID and Client Secret. Keep note of the ClientID and Client Secret! You will need to provide them in the Panther UI to pull your reports.
Login to your Panther account
Go to Log analysis > Sources from the sidebar menu
Click Add Source
Select G Suite from the list of available types
In the next screen enter the following:
Friendly name for the source e.g.
My GSuite logs
Select the GSuite applications you want to monitor
Then click Next
The next page asks you to enter the App Client ID and the Client Secret that you acquired from GSuite
Click on Next
Click on the Click here to authorize Panther to collect GSuite logs link.
This will open a new tab, where you to authorize the GSuite App you create earlier to pull GSuite logs from your account. Authorize the app and copy the authorization code from the screen
Enter the Authorization code that you copied earlier in the Panther UI
Click on Next and then Save source.