OTX enrichment schema change in Panther v1.119

Last updated: February 12, 2026

Overview

In Panther v1.119 (scheduled for deployment the week of March 2, 2026), Panther will update the OTX enrichment schema to improve query performance and data accessibility. 

The new schema flattens the data model by storing one record per indicator, rather than multiple indicators within arrays. As part of this change, the indicator field will serve as the new primary key for the enrichment.

Action required

Before v1.119 deployment

To prepare for this change, please:

  1. Update your detections and Saved/Scheduled Searches to handle both the old and new OTX enrichment schema versions, or create new detections/searches for the updated schema and keep both in place until the 1.119 release.

    • See the updated OTX enrichment schema below.

  2. To retrieve full threat context with the new schema, query all indicators associated with a pulse using the pulse id.

After v1.119 deployment

Once your Panther instance is updated to v1.119:

  1. In order to start receiving the new new schema configuration, you must update your OTX enrichment setup by doing one of the following:

    • Option 1: Update the existing setup settings and save them. 

      • For example, change the "Refresh period" setting, save the changes (this is sufficient to trigger the new configuration and primary key), and then revert the settings if needed.

    • Option 2: Delete the existing setup and create it again.

  2. Remove any detection or search logic that references the old schema version.

If no action is taken, the setup will continue to reference the previous primary key, which is no longer available in the new schema and may cause query failures or unexpected behavior.

New schema details

Data ingested after 1.119 will use the new schema and will have the following form:

{
	"p_any_domain_names": [
		"lcvpn.sbs"
	],
	"p_any_mitre_attack_techniques": [
		"T1090",
		"T1133",
		"T1584",
		"T1608.004",
		"T1608.005"
	],
	"p_event_time": "2026-02-10 09:09:44.803000",
	"p_log_type": "OTX.Pulses",
	"p_parse_time": "2026-02-10 14:35:03.549523",
	"p_row_id": "562e06f2851a8ab2f5a180ee2bf4e505",
	"p_schema_version": 0,
	"adversary": "",
	"attack_ids": [
		"T1133",
		"T1608.004",
		"T1090",
		"T1584",
		"T1608.005"
	],
	"created": "2026-02-10 09:09:44.803000",
	"description": "An investigation using Silent Push's Traffic Origin and residential proxy data revealed a suspicious Chinese VPN provider. The analysis focused on IP address 205.198.91.155, which showed unusual traffic from Russia, China, Myanmar, Iran, and Venezuela. This IP was linked to the domain lvcha.in, hosting a Chinese-language VPN. Further investigation uncovered nearly 50 related domains promoting the same VPN, suggesting attempts to bypass country-level firewalls. The VPN's infrastructure was found to use residential proxies and had connections to various high-risk countries. This case study demonstrates the importance of verifying physical and technical behaviors of connections to protect against fraud and state-sponsored actors using stolen identities and spoofed locations.",
	"id": "698af5d8f28d08f2e63399dd",
	"indicator": "lcvpn.sbs",
	"indicator_created": "2026-02-10 09:09:45.000000",
	"indicator_type": "domain",
	"modified": "2026-02-10 10:05:27.619000",
	"name": "Silent Push Traffic Origin Data Combined with Residential Proxy Data Uncovers Suspicious Chinese VPN",
	"references": [
		"https://www.silentpush.com/blog/traffic-origin-chinese-vpn"
	],
	"tags": [
		"geolocation spoofing",
		"residential proxies",
		"vpn"
	],
	"tlp": "white"
}

With the new data form, enriched data will look like the following:

{
	"p_enrichment": {
		"otx_pulses": {
			"property1": {
				"adversary": "Smishing Triad",
				"attack_ids": [
					"T1583",
					"T1592",
					"T1566.002",
					"T1589",
					"T1584",
					"T1586",
					"T1608",
					"T1606",
					"T1590",
					"T1566",
					"T1078",
					"T1598",
					"T1585"
				],
				"created": "2025-10-24 11:22:40.449000000",
				"description": "An extensive smishing campaign attributed to the Smishing Triad is targeting global users with fraudulent toll violation and package misdelivery notices. The operation has expanded beyond the U.S., impersonating international services across critical sectors like banking, healthcare, and law enforcement. The campaign utilizes a decentralized infrastructure with over 194,000 malicious domains registered since January 2024, primarily through a Hong Kong-based registrar. The attack employs sophisticated social engineering tactics and realistic phishing pages to collect sensitive information. The campaign's scale and complexity suggest it is powered by a large phishing-as-a-service operation, posing a widespread threat to individuals worldwide.",
				"id": "68fb61809f3b37a23c463236",
				"indicator": "irs.org.gov-tax.icu",
				"indicator_created": "2025-10-24 11:22:41.000000000",
				"indicator_type": "hostname",
				"industries": [
					"Finance",
					"Healthcare",
					"Government",
					"Retail",
					"Technology",
					"Transportation"
				],
				"modified": "2025-10-24 11:23:33.820000000",
				"name": "The Smishing Deluge: China-Based Campaign Flooding Global Text Messages",
				"p_match": "irs.org.gov-tax.icu",
				"references": [
					"https://unit42.paloaltonetworks.com/global-smishing-campaign"
				],
				"tags": [
					"phaas",
					"phishing",
					"smishing"
				],
				"tlp": "white"
			}
		}
	},
	"p_log_type": "Custom.AnonymusHttp",
	"property1": "irs.org.gov-tax.icu"
}

If you have questions or need assistance updating your setup, please contact Panther Support.