New and Noteworthy

• Panther AI has been enhanced with the following new features:

  • Scheduled AI prompts let you automate recurring Panther AI queries on a schedule.

  • AI tools for cloud resources and cloud security scanning.

  • Provide personal context to Panther AI with personal AI preferences.

  • Support for file attachments to provide additional context.

  • MCP Integrations allow you to connect remote MCP servers to Panther AI, enabling it to invoke tools from third-party services—such as creating Jira issues, querying PagerDuty incidents, or searching Notion pages—directly from the Panther AI chat experience.

    • This feature is in closed beta. To request access to this feature, please contact your Panther support team.

• Ingest SOCRadar incidents with Panther's new log source integration.

• CloudWatch log sources now support retaining top-level envelope fields in a p_header field on each event.

• SQL custom enrichment tables can be defined as YAML and deployed via the Panther Analysis Tool (PAT).

Now Generally Available

• Two-way comment syncing between your Slack Bot alert destination and the alert in the Panther Console.

• Ingest XML logs in Panther (such as Windows logs) without custom conversion tools, using the XML stream type functionality.

• Configure your Scheduled Searches to send an email report each time they run.

• Re-ingest events that initially failed to classify in Panther with event reprocessing.

• Configure individual settings in the Profile Settings page in the Panther Console.

Enhancements

• Panther AI can now edit detection rules directly within a conversation.

• The default Panther AI model has been updated to Claude Sonnet 4.6.

• Conversational threads let you ask follow-up questions.

• Panther AI can now ask structured follow-up questions mid-conversation.

• Reduced HTTP log ingestion endpoint response times.

Panther Developer Workflows

• Since the last Panther release, the panther-analysis repository has published versions v3.99.0 - v 3.101.0, which include a number of changes, such as:

  • New rules for Proofpoint, GCP and Azure ransomware, Salesforce, Microsoft Entra ID, OpenAI.

  • Unified Kubernetes ruleset using local data models for EKS/GKE/AKS.

  • Caching rules converted to Unique Value Threshold.

  • 32 experimental rules promoted to stable status.

  • Lots of tuning based on customer feedback and research.

Schema Changes

• Improved hostname indicator extraction for Crowdstrike EventStreams logs.

• Added email indicator for the userPrincipalName field in the Azure.Audit schema.

• Added PARENT_QUERY_ID and ROOT_QUERY_ID fields to the Snowflake.AccessHistory schema.

• Zscaler.ZPA.UserActivity schema policy field type changed from bigint to string.

Bug Fixes

• Fixed an issue where the Atlassian puller could produce duplicate events.

• Fixed Google Workspace Vault application visibility so it appears in supported application lists only when the required Google Admin Vault privilege is present.

• Fixed a bug where empty timestamp fields in schemas with field discovery enabled would cause query errors.

• Fixed a bug where Salesforce Realtime log sources stopped ingesting data after an update.

• Fixed a bug where alert context was not being set on alerts delivered via manual alert delivery.

• Updated colors, text, and sizing issues in the new Panther Console UI.

  • Color contrast and text improvements in JSON viewer.

  • Updated timeline bar color.

Announcements

• AI conversations are only available in the new Panther Console UI.