New and Noteworthy

• Panther AI (including the navigation bar entry point, alert triage, AI risk scoring, and Search summarization) is now generally available, with the following feature enhancements in open beta:

  • Describe a search in natural language and Panther AI will generate a PantherFlow query.

  • Use the AI Detection Builder to create and modify detection rules using natural language prompts.

  • When Panther AI wants to perform a sensitive action, it now requires human approval before execution.

• Create GitHub pull requests directly from the Panther Console when editing or creating detections.

• Add filters to custom dashboards to drill down on certain fields across all visualizations.

• Manually dispatch alerts to configured destinations from an alert's details page.

• Set alert quality and add context tags to track resolution reasons and improve detection tuning.

• Ingest AWS NLB logs with Panther's new log source integration.

Enhancements

• Field discovery has been enabled for an additional 40+ Panther-managed log schemas.

  • To verify what schemas have field discovery enabled, you can view the Field Discover column on the Schemas page.

  • Note that additional schemas will be enabled on a rolling basis.

• Support for additional Zeek log types.

• Authenticate your Google Workspace integration using a Google Cloud service account.

• Panther AI enhancements:

  • Print AI responses to PDF and copy as Markdown.

  • Updated interface for the navigation bar entry point. 

  • Tool calls and auto-runs are now logged as Panther Audit logs.

• Additional resource information was added to Cloud Security Scanning.

• Custom enrichments using Scheduled Searches now generate system errors and display as unhealthy if they fail.

• Redesigned Alert Destinations page has improved filtering and a more intuitive user interface.

• The Google Pub/Sub integration has been optimized to support higher throughput.

• Enrichment auto-mapping now supports CIDR validation.

• The Overview page now loads faster with improved performance.

Schema Changes

• TargetProcessId added to Crowdstrike.FDREvent schema as the primary field for target process IDs.

• The following fields have been deprecated across all CrowdStrike schemas:

  • TreeId_decimal

  • ContextThreadId_decimal

  • ContextProcessId_decimal

  • ContextTimeStamp_decimal

• Azure.Audit durationMs field type changed from bigint to float.

• Azure.MonitorActivity has had additional parsing added to the time field to handle instances of timestamps being sent with nanoseconds.

• Sublime.MDM message_id field changed from bigint to string. The body and subject fields are no longer required.

Panther Developer Workflows

• Since the last Panther release, the panther-analysis repository has published versions 3.95.0–3.98.0, which include a number of new rules, such as:

  • Cloud ransomware detections for AWS, GCP, and Azure

  • React2Shell zero day detections for AWS, GCP, and Cloudflare

  • OpenAI detections

  • Azure.MonitorActivity rules based on MSFT and Elastic detections

• The Panther MCP server has released version 2.2.0, which focuses on infrastructure improvements, better defaults for metrics tools, and documentation for production deployments.

Bug Fixes

• Added Bedrock permissions for self-hosted customers.

• Fixed EventBridge sources documentation link and added an info message referencing log source documentation.

• Fixed EventBridge source update functionality.

• Fixed MongoDB puller pagination for users with a high number of projects.

• Fixed EventHub sources update flow.

• Fixed Enrichment schema updates for Databricks customers.

• Fixed UI link for syncing custom enrichment data from Google Cloud Storage (GCS) to point to Panther documentation.