New and Noteworthy

• Manage your HTTP Sources in Panther with new REST API operations.

• Write more powerful PantherFlow queries with the following syntax improvements:

  • The union operator now supports querying multiple tables at once using a wildcard character (*).

  • There are a handful of new functions: agg.stddev(), arrays.sort(), arrays.union(), arrays.difference(), arrays.intersection(), strings.join(), strings.ends_with(), and snowflake.func().

  • Breaking changes: The time.date_trunc() function has been renamed to time.trunc(). The datetime() and time.parse_date() functions, along with the partially implemented date data type, have been removed. If you have Saved Searches using these removed capabilities, you will need to update them. Learn more in the Breaking changes in Panther v1.111 Knowledge Base article.

• Leverage the new PantherFlow editor usability aids, like signature help and inlay hints, and see faster results due to performance improvements.

• Ingest Tracebit logs to detect intrusions in your cloud infrastructure with the new native integration in Panther.

• Route Panther alerts to Mindflow with the new alert destination integration in Panther.

• Ingest Rapid7 audit logs and/or forward Panther alerts to Rapid7 using the new log source and alert destination integrations.

• Upgrade to panther-analysis v3.70.0, containing new and updated rules, bug fixes, and more. See the full list of changes here.

  • If you manage detections with Panther Detection Packs, please be sure to update them to v3.70.0. A future patch version of Panther, scheduled to be deployed to your instance the week of February 10th, will include validation that is dependent on your Packs being updated to this version.

• In closed beta, the PyPanther Detections CLI tool now supports uploading schemas.

Enhancements

• The Search date range filter now includes “All time” and “Relative time” options.

• The Zscaler ZIA log source now supports three additional log types: Web, Firewall, and DNS.

• The mask transformation can now be applied on all types of log fields, not just strings.

• The GraphQL API schema operations now contain isFieldDiscoveryEnabled and isArchived fields.

• The Microsoft Graph Logs onboarding process has been simplified.

• Breaking change: The correlation rule Transitions.WithinTimeFrameMinutes field has new validation: its value must be less than or equal to the value of LookbackWindowMinutes.

  • You may need to update your custom correlation rules if they defy this validation. Learn more in the Breaking changes in Panther v1.111 Knowledge Base article.

Now Generally Available

• A number of integrations have graduated from their beta phase, and are now Generally Available:

  • Log sources: SentinelOne, Bitwarden, Proofpoint, CrowdStrike Event Streams, Wiz, Auditd, Windows Event, Azure Monitor, Envoy, GitHub, and Docker

  • Alert destinations: Incident.io

Bug Fixes

• A bug causing log source updates to fail if made shortly after creation has been fixed.

• A bug preventing user invitations from being successfully resent from the Panther Console has been fixed.

• A bug causing alert events to be dropped has been fixed.

• The md5 indicator has been removed from cid and aid fields in the CrowdStrike Falcon Data Replicator schemas.

• During bulk upload, a bug causing inaccurate counts of updated detections to be reported (as well as creation of extra versions in S3) has been fixed.

• During Detection Pack updates, when an update contains a deletion, a longstanding bug causing errant deletion of Global Helpers created in the Console has been fixed.

• A bug causing alerts generated by PyPanther Detections to not be delivered has been fixed.

  • To receive this fix, upgrade to pypanther version 0.1.1a54.