New and Noteworthy

• Expand the visibility of your attack surface with new Panther-managed log sources:

  • AWS CloudFront: Ingest CloudFront standard (or access) events.

  • Push Security: Ingest Activity, AttackDetection, and Entities events.

  • AppOmni: Ingest Alerts, Events, and Policy events.

• panther-analysis v3.55.0 has been released, and contains new detections for Snowflake, AWS honeypots, Auth0, OCSF, Push Security, and AppOmni—as well as various tunings and bug fixes.

• It’s now possible to create inclusion ingestion filters, in addition to exclusion filters.

• Various quality-of-life improvements have been made to Search, including the ability to view full events in the results table and show or hide Panther fields in the JSON event slide-out panel.

Now Generally Available

• In Search, use OR statements, filter grouping, and Indicator of Compromise searching.

In Open Beta

• Create correlation rules to track complex threat behavior across multiple detections.

• Signals are now generated when there is a match on a rule, and enable you to disable alerting for a detection.

• Manage Panther alerts in these new alert destinations:

  • Incident.io

  • BlinkOps

• Use the new script log parser to perform transformations on incoming logs using the Starlark configuration language.

• The Panther-managed Proofpoint log source lets you ingest Proofpoint Event logs.

• The user interface for managing log source schemas in the Panther Console has been updated.

Enhancements

• A new p_current_timestamp macro is available in Data Explorer.

• In custom log schemas, the timeFormat field can now accept a unix_auto value, which automatically determines the time format.

• For Cloud Connected AWS deployments, Panther has defined resource tags and made it possible to add your own custom tags.

• The Bitwarden log source has been extended to support EU servers.

• If you are a GreyNoise customer, use the new Panther-managed GreyNoise.API.Noise schema along with additional resources in panther-auxiliary to set up a GreyNoise Lookup Table. Following the discontinuation of native GreyNoise support in Panther on June 17, this will allow you to continue leveraging GreyNoise data in Panther. 

• In Search:

  • Selected database(s) and table(s) are displayed at the top of the list of dropdown values.

  • Sort order of the results table is retained when running a new search.

Bug Fixes

• Fixed an issue causing the Open Unassigned Alerts by Severity dashboard modal to include alerts that were not Open.

• Fixed an issue with normalized ingestion filters causing the IN operator to fail for certain values.

• Fixed classification failures for the Crowdstrike.UserInfo schema.

• For the Jira alert destination:

  • Fixed an issue with two-way sync causing the Panther Instance URL to be displayed incorrectly.

  • Fixed an issue with two-way sync causing the Panther API Token to not be displayed.

  • Fixed an issue with two-way sync causing status update comments posted to a Jira issue by Panther to then be synced back to Panther. These comments were redundant in Panther due to the Activity History log.

  • Fixed an issue with sending the label attribute to Jira instances that may not support labels.

  • Fixed an issue causing a status update comment to be posted to a Jira issue even if the actual status update failed.