Beginning with Panther version 1.100, Panther updated its custom schema inference logic to bias toward setting field type
to object instead of json . Panther’s schema inference tool will now only switch from an object to a json
property if the incoming json has 200 or more fields. Because of this change, you may wish to reevaluate any json objects in any custom schemas made before this release in case they would be better served as object field types. You can do this by re-inferring the schema and overwriting the json field with the new object field, including its nested fields.
What does this mean?
Before the release of version 1.100, Panther would infer json fields much more frequently, which had the following downstream effects:
Indicator (p_any) fields: Since Panther relies on the log schema to enumerate specific Indicator of Compromise (IoC) fields, fields nested beneath json fields could not be referenced for indicators.
Autocomplete: Panther uses the log schema to assist you with autocomplete when performing searches, creating Inline Filters, or writing Simple Detections. In order to use autocomplete in these features, the nested fields must be embedded within an object
field—not a json
field.
Enrichment cannot be matched against fields nested under a json field.
How does this change affect me?
If you have inferred any custom schemas in Panther (using one of these methods), we recommend that you re-infer portions of the schema in order to enumerate any json fields where possible. This change can be made in place without the need to create a new schema. See Panther's How to infer a schema documentation.
How can Panther help me?
Reach out to your Account Executive, who can set up a working session with your Solutions Engineer to look at any custom schemas and advise a path forward.