New and Noteworthy

• You can choose to enable Panther AI to start accelerating alert triage workflows, including to quickly gather more information about an alert, with AI.

  • Panther AI is off for all accounts by default, and must be enabled before use.

• Create and edit custom dashboards in Panther to visualize the data that matters most to your team.

• Interact with Panther entities using the new REST API endpoints for API Tokens, Alerts, Users, and Roles.

• Deliver Panther alerts to Jira Data Center with the new alert destination integration.

• Ingest Orca Security alerts in Panther with the new log source integration.

• Upgrade to panther-analysis v3.75.0, containing:

  • Behavioral analytics and anomaly detection template macros, which you can use to identify rare or unique values in your data.

  • An improvement to the Panther Sync Panther Analysis from Upstream GitHub Action to prevent sync failures. See the instructions on Public Fork and Private Clone for more information.

  • A new Cursor rule and improved VScode YAML schemas to improve AI-assisted detection writing.

  • New detections, detection updates, and bug fixes for AWS, Azure, and 1Password log sources.

Now Generally Available

• Ingest events from Tracebit and Rapid7 using the log source integrations.

• Route Panther alerts to Rapid7 and Mindflow with the alert destination integrations.

Enhancements

• Build more powerful PantherFlow queries with the following language improvements:

  • Generate a sequence of incrementing rows with the range operator, which is useful when charting time series data.

  • Leverage the new functions: arrays.filter(), arrays.flatten(), arrays.map(), math.abs(), math.ceil(), math.floor(), and time.add().

  • Make your queries more readable by declaring scalar variables.

  • Define anonymous functions for use as function parameters.

  • The join operator’s kind field now uses an equals sign (=) to specify its value rather than a colon (:).

• Authenticate your Google Cloud Storage (GCS) Sources and Pub/Sub Sources with Workload Identity Federation instead of a service account.

• Load data in various JSON formats into your custom Lookup Tables, with expanded data parsing functionality.

• In custom log schemas, you can now specify validation for elements of an array field.

• Send data to Panther in an “enveloped array” with an enhancement to the JSON Array stream type.

• In Search, use keyboard shortcuts when constructing filter expressions.

• Various Panther Console usability improvements, such as improved error messages for Packs and rule tests.

Bug Fixes

• Fixed an issue where Lookup Table creation would error when fields were auto-mapped.

• Fixed an occasional error while loading metrics in the log sources page in the Console.

• Fixed a bug causing some events to be missing from the alert details page in the Console.

• Fixed a bug causing there to be empty events in the alert details page in the Console.

• Fixed a bug causing the last page of the detections list in the Console to generate an error.

• Fixed a bug in the dynamic lookup function that could cause empty results to be returned when lookup data exists.