QUESTION

In the release notes for 3.2.2 of panther-analysis, it mentions double quotes for names and IDs the way that bulk download works. Do all DisplayName fields need double quotes now? Do we need to change custom rules/queries yaml files?

ANSWER

This change was introduced because there are some cases where the display name in the Console contains unallowed characters in unquoted YAML strings. When those rules are exported to YAML, the display names must be quoted. Since the exported YAML from the console has to be the same as the panther-analysis repo, the display names in the repo appear quoted as well.

Based on the above, there’s no issue if you are not using quotes, but please ensure the following: