QUESTION

Is there a way for me to determine who altered or deleted a Panther log source?

ANSWER

Yes, provided you have enabled Panther's audit logging capabilities. Then, every user action in Panther is monitored, recorded, and queryable, just like any other log sourceĀ in Panther.

To determine who altered or deleted a log source, you can use the following example query in the Data Explorer:

SELECT p_event_time AS p_timeline, actor:attributes:email AS employee, actionName as action, *
FROM panther_logs.public.panther_audit
WHERE actionName IN (
  'DELETE_LOG_SOURCE',
  'UPDATE_LOG_SOURCE',
  'CREATE_LOG_SOURCE_ALARM',
  'DELETE_LOG_SOURCE_ALARM',
  'UPDATE_LOG_SOURCE_FILTERS'
)
AND actionParams:dynamic:input:label = 'MY_LOG_SOURCE_NAME'
AND p_occurs_since(365d)
LIMIT 1000

Be sure to adjust MY_LOG_SOURCE_NAME to the title of the log source you're investigating!