Skip to main content
Panther Knowledge Base

Do DisplayName fields in Panther need to have double quotes?

  1. Last updated
  2. Save as PDF

QUESTION

In the release notes for 3.2.2 of panther-analysis, it mentions double quotes for names and IDs the way that bulk download works. Do all DisplayName fields need double quotes now? Do we need to change custom rules/queries yaml files?

ANSWER

This change was introduced because there are some cases where the display name in the Console contains unallowed characters in unquoted YAML strings. When those rules are exported to YAML, the display names must be quoted. Since the exported YAML from the console has to be the same as the panther-analysis repo, the display names in the repo appear quoted as well.

Based on the above, there’s no issue if you are not using quotes, but please ensure the following:

  • The display name doesn’t have any special YAML characters.
  • You aren’t relying on the “Export” option from the Console to be identical to the original YAML file.