When a log source is deleted, there's an event in Panther's audit logs for DELETE_LOG_SOURCE. Does the event contain any information about the deleted source?
Currently, any identifying information about the deleted source is not included in the audit log event, but we are investigating adding this information. If this is a blocker or a serious issue for you, or if you are interested in support of this feature (including deleted source information in the audit log event), please bring it up with your Account Executive (AE) or our Support team!
In the meantime, executing the following query, you should be able to identify the label of the log source! Please note that the value of the field actionParams:dynamic:id
from the table panther_logs.public.panther_audit
is the source ID
of the affected log source.
SELECT p_source_label, p_source_id
FROM panther_views.public.all_logs
WHERE p_source_id = 'Deleted log source ID' --here you have to place the value of the field actionParams:dynamic:id for the DELETE_LOG_SOURCE action
ORDER by p_event_time desc
LIMIT 10