Schema Changes

• To support SaaS audit event streaming in addition to self-hosted audit logs, the following fields have been added to the GitLab.Audit schema:

  • created_at

  • details 

  • entity_path

  • event_type

  • id

  • ip_address

Enhancements

• In an alert’s “Details” tab in the Panther Console, the event JSON section is now expanded by default.

• Improved Indicator Search, allowing you to pivot on any field from an alert event and search for indicators by field. When searching for indicators by field, you can select from the options in the dropdown menu, including:

  • Auto Detect Type - Automatically analyzes type identification based on the indicators you enter. 

  • Simple Search - Requires search input to be in the <attribute path>=‘<attribute value>’ format.

• The following updates have been made to the Add New Source page in the Panther Console:

  • Added an option to request a new log source. At the bottom of the page, click "Request it here" to notify our team.

  • Removed the option to toggle between all and popular sources. All sources now appear when loading this page.

• In the Detections edit page, the unit test tab and name field have been merged into a single tab to improve ease of use for managing unit tests. 

• Normalized retention of processed-data S3 buckets to 30 days.

Panther Developer Workflows

• panther-analysis versions 2.2.0 and 3.0.0 have been released.

  • Version 2.2.0 featured a new detection for Dropbox and minor bug fixes.

  • Version 3.0.0 updates the name of the global helper panther to panther_default and adds an Asana detection.

Bug Fixes

• Fixed the following in the Overview Dashboard in the Panther Console:

  • Hovering over a specific alert now only displays data for that cell.

  • The y-axis of the Ingestion by Log Source graph is now labeled in bytes.

  • The Alerts By Log Type graph now sorts by alert count.

• Generated Terraform template files now have an accurate creation time.