New and Noteworthy

• Ingest Wiz events via Webhook with Panther's new log source integration, now supporting Wiz Defend and additional event types.

• Enrich incoming logs with additional context with Open Threat Exchange (OTX) enrichment.

• Search now features two-way synchronization between PantherFlow query text and filter values.

• In the Panther Console, custom enrichments (formerly called Lookup Tables) and Panther-managed enrichments have been consolidated into a single Enrichments page.

  • Improved filtering and table columns have been added to the Enrichments page.

Now Generally Available

• Ingest Snowflake Audit Logs into Panther.

Enhancements

• You can now use Panther AI to help write scheduled rules with improved tooling.

• Claude Sonnet 4.5 is now the foundation AI model used by Panther AI.

• The log source onboarding page in the Panther Console has been redesigned and updated to improve search functionality.

• Configure Identity Provider-initiated SSO for your Panther users.

• Updated Admin role restrictions to prevent users from being locked out of the Panther Console.

• Field discovery has been enabled for additional Panther-managed log schemas:

  • Azure.Audit

  • Okta.SystemLog

  • Asana.Audit

  • Atlassian.Audit

  • Auth0.Events

  • Slack.AuditLogs

  • Slack.AccessLogs

  • Slack.IntegrationLogs

  • Docker.Events

  • Envoy.Access

  • Bitwarden.Events

  • CarbonBlack.AlertV2

  • CarbonBlack.Audit

  • CarbonBlack.EndpointEvent

  • CarbonBlack.WatchlistHit

  • See the full list of managed schemas with field discovery enabled here. Note that additional schemas will be enabled on a rolling basis.

Panther Developer Workflows

• Since the last Panther release, the panther-analysis repository has published versions 3.86.0–3.87.0, which include a number of changes, such as:

  • New rules for Axonius, Docusign, Auth0, Microsoft Intune/Defender, and GitHub Audit/Webhook.

  • Snowflake enrichment global helper functions.

  • Improved titles for CrowdStrike rules, including ComputerName.

• The Panther MCP server has released version 2.1.0, which allows you to:

  • Access your existing Panther AI alert triage summaries or start new analysis runs directly through MCP tools.

  • Efficiently update multiple alerts at once.

  • list_alerts now defaults to the last 7 days for better visibility.

Bug Fixes

• Resolved an issue where the Schemas page failed to load for customers with a large number of schemas.

• Lookup Tables now properly ingest events that contain new line characters.

• The Detection page no longer crashes when large search text is entered.

• Header Name field is now disabled when a securityHeaderKey is defined when adding a new log source with HMAC authentication.

• HMAC authentication now works with HTTP log sources with compressed content.

Deprecations

• Support for historical tables in the panther_lookups.public database will stop in the upcoming 1.117 release. Tables like <lookupname>_XXX, <lookupname>_history_XXX, and <lookupname>_history will stop being populated and only the table containing the most up-to-date lookup data in <lookupname> will be populated. If you were referencing these historical tables to know how a log event was enriched while being processed by detections, note that signals contain enrichment data.