Issue

When investigating alerts or investigating issues that involve Panther Audit Logs, I see an unknown system actor ID that looks like 00000000-0000-4000-8000-000000000000. 

Resolution

The actor ID can be disregarded and allow-listed. It is a hard-coded value in the codebase designed to reflect actions performed by the system. 

Cause

This log event usually occurs when there's a change in the role of an existing Panther SSO user on your SAML provider side. If changes are detected, this log is triggered.

Example
A user exists with the Analyst role in the SAML provider (e.g., Okta), and the user has already logged in once before. Someone changes the Analyst role to Admin in Okta. This user then logs in again to Panther, and this audit log is triggered.