QUESTION

I'm wondering what would be the correct way to customize the enriched log types via developer workflow? I'd like to add a custom log source and I'm wondering if Panther automatically adds any logs that have p_any_emails or p_any_usernames indicators? 

ANSWER

Panther won't automatically add new log types to your enrichment provider after the initial creation.

In order to update your Okta enrichment providers through CI/CD:

  1. Download the YAML file that Panther automatically generated for your Okta enrichment providers (the names should be *_devices.yml and *_users.yml). You can easily download these YAML files through your Panther Console by navigating to Build > Bulk Uploader > Download all entities.

  2. Edit the YAML files by adding your new log types and the associated selectors.

  3. Finally, proceed with uploading the YAML files through CI/CD by using Panther's API.

The enrichment providers will be updated to reflect the new YAML file.