New and Noteworthy

• Manage your Panther alerts in Slack more effectively with improved Slack Bot functionality:

  • You can now configure your Slack Bot destination to receive Panther AI alert triage summaries.

  • You can now enable two-way sync for alert status and assignee, meaning changes made in the Panther Console (or via API) will be reflected in the Slack Bot representation of the alert.

  • When resolving an alert from the Slack Bot, you can now assign it to yourself.

• Easily re-ingest events that initially failed to classify in Panther with event reprocessing.

• Ingest XML logs in Panther (such as Windows logs) without custom conversion tools, using the XML stream type functionality.

• Set up an Azure Event Hub Data Transport Source to streamline ingestion of Azure data in Panther.

• Add Snowflake context to incoming logs in Panther with the Snowflake Enrichment Provider.

• Use the PantherFlow visualize table type to generate tables, then add them as widgets in your custom dashboards.

Panther Developer Workflows

• Detections uploaded in the CLI workflow can now use a CreatedBy field to specify authorship.

• Since the last Panther release, the panther-analysis repository has published versions 3.78-3.81, which include a number of changes, such as:

  • Adding a pre-commit hook that runs make lint and make test.

  • Restricting internal Panther GitHub workflows to the upstream repository—learn about the workflows available to you here.

  • A CLAUDE.md file to provide guidance to Claude Code.

  • Various new detections and much detection tuning.

• The Panther Analysis Tool (PAT) has released version 1.0.0, which:

  • Updates the license from AGPL-3.0 to Apache-2.0.

  • Updates schemas with new (optional) CreatedBy field.

  • Switches dependency management to poetry.

Enhancements

• Panther AI:

  • Has been upgraded to use Claude Sonnet 4.

  • Allows you to explicitly save an AI response.

  • Has documentation additions: comprehensive workflow examples, a tool list, and AI system architecture explanations.

• Take advantage of your screen’s full width when searching data in Panther, with wide screen support for Data Explorer.

• Search now allows CSV generation when there are more than 1000 rows.

• The Search page now respects your Panther global time setting, i.e., it can display time in your local timezone instead of UTC only.

• When classifying logs using the script parser, use the base64.decode and base64.encode functions.

• The MITRE ATT&CK dashboard in the Panther Console has been updated to version 16.1 (from 11.1), which introduces a number of new attack techniques.

• The Crowdstrike.FDREvent log schema has improved indicator field extraction.

• Leverage the following enhancements to the Panther REST API:

  • Adds filtering options for list detection endpoints.

  • Adds new createdBy field to detection endpoints.

  • Adds XML as a possible value for logStreamType in HTTP Source endpoints.

  • Adds `outputIds` (alert destination overrides) field to detection endpoints

  • Adds pagination support to list users endpoint.

Infrastructure Changes

• If you are a Cloud Connected Panther customer:

  • You can now use the PantherDeploymentUpdaterRole to keep your PantherDeploymentRole updated automatically.

  • Panther now publishes a Terraform version of the PantherDeploymentRole (previously available only in CloudFormation).

• Panther has implemented dedicated Snowflake warehouses for public API requests. This architectural improvement provides better cost attribution and resource management for API-driven workloads by isolating them from other Snowflake operations. (This does not apply to legacy Snowflake configurations.)

Bug Fixes

• In PantherFlow, added support for signed variables and functions (previously, only numbers could be signed).

• Fixed issue where Okta Logs sources would intermittently report being unhealthy.

• In the script parser, fixed logic that resulted in memory issues.

• Fixed Cloud Security Scanning bug causing CloudFormation stacks to not be displayed on the Cloud Resources page.

• In the Microsoft Graph Logs integration, fixed a bug that could, under specific circumstances, result in event duplication and partial data loss.

• Fixed a bug in Search preventing drilldown capabilities in the results histogram when “All time” is selected in the date range filter.

• In the Panther REST API:

  • Fixed alert comments pagination bug.

  • The get alerts endpoint now returns a 404 if the alert isn’t found (instead of a 500).

  • When assigning an alert to an invalid user, a 400 is now returned (instead of a 500).