New and Noteworthy

• New correlation rule enhancements:

  • It’s now possible to test correlation rules.

  • Group correlation rules can now specify a minimum number of rules that must match in order for the correlation rule to pass, using MinMatchCount.

  • It’s important to note that both correlation rules and signals can greatly increase Snowflake compute costs. Please see the guidance on both correlation rules and signals on how to ensure you are using them effectively.

• Safeguard against alert storms with the alert limiter functionality.

• Use the CrowdStrike Event Streams log source to ingest logs pulled from CrowdStrike’s Event Streams API.

  • This feature is in open beta, and is available to all customers.

• Use the new Sublime Security integration to ingest Audit, MessageEvent, and Message Data Model (MDM) logs into Panther.

  • Panther-managed detections for Sublime Security logs are coming soon!

• Ingest Apache Avro files into Panther—this enables you to onboard Azure Monitor and Microsoft Defender logs.

  • This feature is in open beta, and is available to all customers.

• Use the event.lookup() function to dynamically fetch Lookup Table and Enrichment Provider data in Python detections.

• The left-hand navigation bar in the Panther Console has been reformatted. For example, the Build option has become Detections, and MITRE ATT&CK is now a tab on the Dashboard homepage. Additionally, Data Models, Helpers, and Packs are now tabs within Detections.

Now Generally Available

• Use the Sigma rule converter (now with conversion support for GCP Audit logs and SentinelOne Deep Visibility logs) to translate vendor-agnostic detections into Panther detections.

• Ingest Parquet files into Panther. 

Enhancements

• The log types and Selectors associated with a Lookup Table can now be automatically mapped according to indicator field designations.

• The HTTP Source can now accept payloads with a size of up to 1 MB (including headers).

• There is a new `is within CIDR` filter operator available for use in normalized event filters and in Search.

Panther Developer Workflows

• Panther-analysis version 3.62.0 was released this week, featuring CrowdStrike Event Stream detections

Bug Fixes

• Fixed a bug in decompression logic when handling large zstd data.

In Closed Beta

• Panther’s Wiz integration which allows you to ingest issues, vulnerabilities, and audit logs from Wiz, is in closed beta

  • For customers interested in access, please reach out to your account team

  • If you already have access, in the Wiz.Audit schema, the `actionParameters` field is now `type:json` (it was previously `type: object`).