New and Noteworthy

• Improved the S3 log source onboarding experience. You can now browse S3 bucket directories and contents from the Panther Console, and the process of selecting, inferring, and applying schemas has been simplified. Includes the ability to infer multiple schemas at once, including from historical data.

  • This feature is in closed beta. If you would like to participate, contact your Panther representative.

• Revamped the log source onboarding experience in the Panther Console. On the Add New Log Source page, you can now see at a glance how many detections are available for each source. Click a source to quickly open detailed information on supported log types, available detections, and use cases.

Now Generally Available

• Define a field schema with the copy transformation for custom logs. This allows you to select a field and promote it to a top-level field in the nested hierarchy, helping you flatten your data’s JSON structure.

In Open Beta

• Onboard Tines audit logs with the Tines log puller. Use this integration to monitor changes made by users to data in your Tines tenant.

Schema Changes

• The following updates have been made to Zeek schemas:

  • Added Zeek.SIP.

  • Updated required Zeek.SSH fields to align with Zeek documentation. 

  • Added managed schemas to the enrichment providers GreyNoise, IPinfo, and Tor.

Enhancements

• Added HMAC, Basic, and Bearer authentication methods to HTTP log ingestion to provide additional HTTP endpoint security options, ensuring it only processes requests from authenticated sources.

  • HTTP log ingestion is in closed beta. Wider availability will be introduced in a future release of Panther.

• Added the ability to rename ingested fields with the rename transformation for custom logs.

  • This enables you to standardize field names and edit field names with invalid characters or reserved keywords.

• The following enhancements have been made to Data Replay:

  • Added a data size selector, allowing you to choose between data size or date range when running replays. This enables you to test your rules on a data set for a specified size without having to manually narrow the date range.

  • Added a calendar and pre-selected date ranges to the time picker for easier date selection.

• Roles that have role-based access control (RBAC) per log type enabled for search and alerts can now also have the ability to view policies.

  • Support for RBAC per log type is in closed beta. If you would like to participate, contact your Panther representative.

• Improved the performance of schema testing in the Panther Console. 

Panther Developer Workflows

• Version 0.21.1 of panther_analysis_tool has been released, featuring the following updates:

  • Added new Zeek log types.

• Version 3.4.0 of panther-analysis has been released, featuring the following updates:

  • Added new Dropbox and Slack detections.

Bug Fixes

• Fixed a bug that could disable the Start Replay button in Data Replay.

• Resolved an issue that allowed schema testing to run indefinitely in the Panther Console. It now has a 15 minute limit.

• Removed the display to log in with username and password when SSO enforcement is enabled.