Is there a way for me to determine who altered or deleted a Panther log source?
Yes, provided you have enabled Panther's audit logging capabilities. Then, every user action in Panther is monitored, recorded, and queryable, just like any other log sourceĀ in Panther.
To determine who altered or deleted a log source, you can use the following example query in the Data Explorer:
SELECT p_event_time AS p_timeline, actor:attributes:email AS employee, actionName as action, *
FROM panther_logs.public.panther_audit
WHERE actionName IN (
'DELETE_LOG_SOURCE',
'UPDATE_LOG_SOURCE',
'CREATE_LOG_SOURCE_ALARM',
'DELETE_LOG_SOURCE_ALARM',
'UPDATE_LOG_SOURCE_FILTERS'
)
AND actionParams:dynamic:input:label = 'MY_LOG_SOURCE_NAME'
AND p_occurs_since(365d)
LIMIT 1000
Be sure to adjust MY_LOG_SOURCE_NAME
to the title of the log source you're investigating!