New and Noteworthy

• Enrich incoming logs with data already in your data lake by creating custom enrichment sources with the output of a Scheduled Search.

• Infer schemas from sample data of any format, not just JSON, with AI-assisted schema inference.

• Ingest OpenAI audit logs with Panther's new log source integration.

• The Enrichment details page includes enrichment data under the new “Lookup Table” tab. The updated page makes it easier to validate your data and edit your schemas.

• Panther's new Salesforce integration now supports Salesforce Real-Time Event monitoring objects.

• Enrich incoming logs with additional context with the GreyNoise enrichment.

• Deliver Panther alerts to Expel with the new alert destination integration.

Now Generally Available

• Authenticate your Google Cloud Storage (GCS) Sources and Pub/Sub Sources with Workload Identity Federation.

• Ingest Orca Security logs into Panther.

Enhancements

• Field discovery has been enabled for 100+ Panther-managed log schemas.

  • To verify which schemas have field discovery enabled, you can view the Field Discovery column on the Schemas page.

  • Note that additional schemas will be enabled on a rolling basis.

• Gmail audit logs have been added to the Google Workspace integration.

• Improvements to the Google Workspace integration allow Panther to pick up newly available events up to five minutes sooner once Google exposes them.

• Ingest Google Cloud Platform (GCP) Access Transparency, DNS, and Firewall logs into Panther.

• Panther’s Teleport integration now supports ingesting logs sent with External Audit Storage.

• Use regional endpoints when configuring Google Pub/Sub as a Data Transport.

  • This may be helpful if your organization has compliance requirements for your data to stay in a specific region in Google Cloud.

• Panther AI can suggest prompts and query alerts with an “INVALID” status. You can also favorite prompts.

• Creating and updating enrichments through the Panther Console and PAT is faster.

• Additional resource information was added to Cloud Security Scanning.

Schema Changes

• Azure.Audit Level field type changed from bigint to string.

• The Orca.AlertEvent schema will be replacing Orca.Alert.

Panther Developer Workflows

• Since the last Panther release, the panther-analysis repository has published versions 3.88.0–3.94.0, which include a number of changes, such as:

  • Sha1-Hulud 2.0 detection and threat hunting query

  • Experimental rules

  • GitHub audit and webhook rules for recent supply chain attacks

  • New Wiz Webhook and Auth0 rules

  • Runbooks can render markdown in Panther UI

• When provisioning a new Cloud Connected Panther instance, the panther-cloud-connected-setup CLI tool now allows you to automatically provision DNS records to validate your certificates.

Bug Fixes

• Trying to upload data to a deleted enrichment will now return an error.

• The Enrichments page no longer shows an error if the “Manual Sync” import method is selected as a filter.

• Creating Enrichment log types and selectors auto-mapping is now only based on the indicators present in the primary key.

• Resolved an issue that would result in detections not having access to enrichment data.

• Enrichment schema updates now take effect immediately without requiring switching to a different schema and back.

• Parquet files from Teleport sources can now be ingested.

• Resolved an issue where queries would run on a schedule even after they had been deleted.

Deprecations

• Support for historical tables in the panther_lookups.public database stopped in this release. 

  • Tables like <lookupname>_XXX, <lookupname>_history_XXX, and <lookupname>_history stopped being populated and only the table containing the most up-to-date lookup data in <lookupname> will now be populated. 

  • If you were referencing these historical tables to know how a log event was enriched while being processed by detections, note that signals contain enrichment data.

• Panther removed UDM (or Core Field) functionality in this release.