New and Noteworthy

• Added the ability to use Terraform templates when setting up Amazon S3 and CloudWatch Logs in the Panther Console.

Detection Content Changes

• Due to the decreasing value of using IP addresses as a specific indicator of compromise for the Log4J vulnerability, the LOG4J Indicators of Compromise (IP) rule (IOC.Log4JIPs) is now disabled in the Panther Analysis Tool.

• Added a data model and detections for 1Password, including an optional detection that takes advantage of Panther's Lookup Tables feature.

Enhancements

• Added the ability to filter Lookup Tables by import method (S3 Sync or Manual Upload) in the Panther Console.

• The last time a Lookup Table received data from an S3 sync is now visible in the list of Lookup Tables in the Panther Console.

• Alerts for unhealthy log source states now include a link to the errors that triggered the unhealthy state.

• Added a confirmation pop-up in the Panther Console when enabling Packs.

• Panther will now retry scheduled queries that fail up to three times before marking them as failed in the Panther Console.

• Added helper text to the Stream Type field when setting up an S3 Log Source in the Panther Console. This text adds context for what each type of Stream Type is and how Panther will read the data.

• Changed the color of “Confirm” buttons in dialog boxes from red to blue in the Panther Console to more effectively convey the impact of clicking “Confirm.”

• The EventProcessorScanMessageEntryLimit field has been added to Panther’s CloudFormation deployment parameters. The default setting for MaxLookupTableCompressedSizeMB has been changed from 200 to 400.

• Destination failure alerts now include the alerts that failed to deliver.

Bug Fixes

• Fixed a bug that caused the drilldown from indicator search to select the wrong columns.

• Fixed two bugs that caused enabling or disabling and creating new Lookup Tables to potentially lose data.