New and Noteworthy

• The Panther Console navigation has been redesigned to improve the user experience and streamline workflows.

  • Various visual enhancements have been made, and the navigation menus have been updated, which now appear as follows:

    • Dashboard

    • Alerts

    • Investigate

    • Build

    • Configure

  • Additionally, the Settings, Help, and User menus have moved to the top right-hand corner of the Panther Console. Watch a video tour of the Console with the new UI here.

Features

• Pull MongoDB Atlas logs with Panther's new MongoDB Atlas log puller. 

  • With this puller, you can authenticate Panther in MongoDB and pull data directly from MongoDB Atlas's Administration API.

• The option to make LIMIT clauses required for scheduled queries has been added.

  • Enabling this setting prevents creating new scheduled queries without LIMIT clauses, and checks existing scheduled queries for LIMIT clauses.

  • This setting is located under Settings > General > Data Lake.

Now Generally Available

• The following features are now generally available and no longer in beta:

  • Enrichment

    • Lookup Tables

    • GreyNoise

  • GCP log puller

Schema Changes

• Four fields in CrowdStrike’s ProcessRollup2 and SyntheticProcessRollup2 schemas have been changed from int to string. We recommend that you verify the impact on any custom detections built using the affected fields:

  • TargetProcessId

  • SourceProcessId

  • SourceThreadId

  • ParentProcessId

Enhancements

• The log source onboarding page has been updated to improve its usability. The following enhancements have been made:

  • Log cards now expand to display more details when clicked instead of opening a new page.

  • Rearranged Custom Onboarding to the top of the page.

  • Added a search filter for supported logs.

• Detection match rates for Data Replay are now updated live in the Panther Console to provide better transparency into when a detection may trigger a large volume of alerts.

• A new field, “origin”, has been added to Panther API alerts which returns a limited set of information around the detection or system error that triggered the related alert.

• Panther now sends alerts from a known static IP address. This allows customers to configure destinations to accept connections from this IP address.

  • Locate the address, listed as Gateway Public IP, in the Panther Console by navigating to Settings > General and scrolling to the bottom of the page.

• Panther’s CloudFormation deployment parameters have been updated.

Panther Developer Workflows

• panther-analysis has been updated to v1.34.0, which includes the following enhancements:

  • Queries, rules, and policies have been reorganized into top-level directories.

  • To standardize code style, the Python code formatter Black has been incorporated into panther-analysis.

  • Fixed a bug that incorrectly mapped users and roles in the GCP Data Model.

Bug Fixes

• Fixed a bug that displayed the wrong error message in the Data Explorer when using an invalid SQL query.

• Fixed a bug that caused the Zendesk OAuth health check to fail even when working correctly, resulting in false alarms.

• Fixed a bug that caused Zstd decompression to fail under certain circumstances.