QUESTION

When new events are parsed which have values for columns that are not included in the schema, will I be notified through the log source health reporting system?

ANSWER

As of version 1.77, Panther supports field discovery for custom schemas. When enabled, data from fields in incoming log events that are not defined in the corresponding schema will not be dropped—instead, the fields will be identified, and the data will be stored. 

If there are any new fields discovered, you will not receive an alarm. Instead, you will be able to see all the undefined fields in your schema page.

Screenshot 2023-09-12 at 2.53.10 PM.png

Furthermore, you can query these fields in the database or use them in your detections.