v1.108

New and Noteworthy

• Expand the visibility of your attack surface with new Panther-managed log sources:
  • AWS CloudFront: Ingest CloudFront standard (or access) events.
  • Push Security: Ingest Activity, AttackDetection, and Entities events.
  • AppOmni: Ingest Alerts, Events, and Policy events.
• panther-analysis v3.55.0 has been released, and contains new detections for Snowflake, AWS honeypots, Auth0, OCSF, Push Security, and AppOmni—as well as various tunings and bug fixes.
• It’s now possible to create inclusion ingestion filters, in addition to exclusion filters.
• Various quality-of-life improvements have been made to Search, including the ability to view full events in the results table and show or hide Panther fields in the JSON event slide-out panel.

Now Generally Available

• In Search, use OR statements, filter grouping, and Indicator of Compromise searching.

In Open Beta

• Create correlation rules to track complex threat behavior across multiple detections.
• Signals are now generated when there is a match on a rule, and enable you to disable alerting for a detection.
• Manage Panther alerts in these new alert destinations:
  • Incident.io
  • BlinkOps
• Use the new script log parser to perform transformations on incoming logs using the Starlark configuration language.
• The Panther-managed Proofpoint log source lets you ingest Proofpoint Event logs.
• The user interface for managing log source schemas in the Panther Console has been updated.

Enhancements

• A new p_current_timestamp macro is available in Data Explorer.
• In custom log schemas, the timeFormat field can now accept a unix_auto value, which automatically determines the time format.
• For Cloud Connected AWS deployments, Panther has defined resource tags and made it possible to add your own custom tags.
• The Bitwarden log source has been extended to support EU servers.
• If you are a GreyNoise customer, use the new Panther-managed GreyNoise.API.Noise schema along with additional resources in panther-auxiliary to set up a GreyNoise Lookup Table. Following the discontinuation of native GreyNoise support in Panther on June 17, this will allow you to continue leveraging GreyNoise data in Panther. 
• In Search:
  • Selected database(s) and table(s) are displayed at the top of the list of dropdown values.
  • Sort order of the results table is retained when running a new search.

Bug Fixes

• Fixed an issue causing the Open Unassigned Alerts by Severity dashboard modal to include alerts that were not Open.
• Fixed an issue with normalized ingestion filters causing the IN operator to fail for certain values.
• Fixed classification failures for the Crowdstrike.UserInfo schema.
• For the Jira alert destination:
  • Fixed an issue with two-way sync causing the Panther Instance URL to be displayed incorrectly.
  • Fixed an issue with two-way sync causing the Panther API Token to not be displayed.
  • Fixed an issue with two-way sync causing status update comments posted to a Jira issue by Panther to then be synced back to Panther. These comments were redundant in Panther due to the Activity History log.
  • Fixed an issue with sending the label attribute to Jira instances that may not support labels.
  • Fixed an issue causing a status update comment to be posted to a Jira issue even if the actual status update failed.