G Suite

Panther has the ability to fetch events by querying the G Suite Reports API. Panther will query the G Suite Reports API for new events every 1' minute.

In order for Panther to access the API you need to create a new 'G Suite App' and provide the app credentials to Panther.

Create a new G Suite App

The steps below can only be performed if your G Suite user has permissions to see your organization's Reports. If your user doesn't have such permissions, you can follow the steps here in order to create a new role with Reports access and assign the role to your user.

  1. Click Create Project

  2. Enter a project name e.g. Panther Integration. Make sure that the organization you want to monitor is selected under Organization. Click on Create

  3. It will take a few seconds to create the project. Once created, you will get an on-screen notification.

  4. Go again to Google API Console. Select the project you just created

  5. Click on OAuth consent screen

  6. Select Internal as User Type and click on Create

  7. In the next page, just populate the Application Name field with a value, e.g. Panther Integration

  8. Go to the bottom of the page and click on Save

  9. You will be navigated back to the dashboard of your new application. Click Dashboard

  10. Click on Enable APIs and Services

  11. In the search bar type Admin SDK

  12. Click on Admin SDK, then click Enable

  13. You will be navigated to another screen. Once this happens, just go to Google API Console again and select your project like you did in Step #5

  14. Click on Create Credentials

  15. Click on OAuth client ID

  16. In the new screen select as Application Type Desktop App and type in a friendly name e.g. Panther

  17. Click on Create

  18. A pop up screen will display the Client ID and Client Secret. Keep note of the ClientID and Client Secret! You will need to provide them in the Panther UI to pull your reports.

Create a new G Suite source in Panther

  1. Login to your Panther account

  2. Go to Log analysis > Sources from the sidebar menu

  3. Click Add Source

  4. Select G Suite from the list of available types

  5. In the next screen enter the following:

    1. Friendly name for the source e.g. My GSuite logs

    2. Select the GSuite applications you want to monitor

      Then click Next

  6. The next page asks you to enter the App Client ID and the Client Secret that you acquired from GSuite

  7. Click on Next

  8. Click on the Click here to authorize Panther to collect GSuite logs link.

    This will open a new tab, where you to authorize the GSuite App you create earlier to pull GSuite logs from your account. Authorize the app and copy the authorization code from the screen

  9. Enter the Authorization code that you copied earlier in the Panther UI

  10. Click on Next and then Save source.