Sep 6, 2022

New and Noteworthy

  • The Panther Console navigation has been redesigned to improve the user experience and streamline workflows.
    • Various visual enhancements have been made, and the navigation menus have been updated, which now appear as follows:
      • Dashboard
      • Alerts
      • Investigate
      • Build
      • Configure
    • Additionally, the Settings, Help, and User menus have moved to the top right-hand corner of the Panther Console. Watch a video tour of the Console with the new UI here.


  • Pull MongoDB Atlas logs with Panther’s new MongoDB Atlas log puller. 
    • With this puller, you can authenticate Panther in MongoDB and pull data directly from MongoDB Atlas’s Administration API.
  • The option to make LIMIT clauses required for scheduled queries has been added.
    • Enabling this setting prevents creating new scheduled queries without LIMIT clauses, and checks existing scheduled queries for LIMIT clauses.
    • This setting is located under Settings > General > Data Lake.

Now Generally Available

Schema Changes

  • Four fields in CrowdStrike’s ProcessRollup2 and SyntheticProcessRollup2 schemas have been changed from int to string. We recommend that you verify the impact on any custom detections built using the affected fields:
    • TargetProcessId
    • SourceProcessId
    • SourceThreadId
    • ParentProcessId


  • The log source onboarding page has been updated to improve its usability. The following enhancements have been made:
    • Log cards now expand to display more details when clicked instead of opening a new page.
    • Rearranged Custom Onboarding to the top of the page.
    • Added a search filter for supported logs.
  • Detection match rates for Data Replay are now updated live in the Panther Console to provide better transparency into when a detection may trigger a large volume of alerts.
  • A new field, “origin”, has been added to Panther API alerts which returns a limited set of information around the detection or system error that triggered the related alert.
  • Panther now sends alerts from a known static IP address. This allows customers to configure destinations to accept connections from this IP address.
    • Locate the address, listed as Gateway Public IP, in the Panther Console by navigating to Settings > General and scrolling to the bottom of the page.
  • Panther’s CloudFormation deployment parameters have been updated.

Panther Developer Workflows

  • panther-analysis has been updated to v1.34.0, which includes the following enhancements:
    • Queries, rules, and policies have been reorganized into top-level directories.
    • To standardize code style, the Python code formatter Black has been incorporated into panther-analysis.
    • Fixed a bug that incorrectly mapped users and roles in the GCP Data Model.

Bug Fixes

  • Fixed a bug that displayed the wrong error message in the Data Explorer when using an invalid SQL query.
  • Fixed a bug that caused the Zendesk OAuth health check to fail even when working correctly, resulting in false alarms.
  • Fixed a bug that caused Zstd decompression to fail under certain circumstances.

Previous Releases

v1.41 Aug 23, 2022
In closed beta: assign role-based access control (RBAC) per log type in the Data Explorer.
v1.40 Aug 9, 2022
New schemas added for AWS, GCP, Suricata, and Zeek.
v1.39 Jul 27, 2022
Pull Dropbox Event Logs with Panther’s new Dropbox log puller. Monitor Dropbox team events like user login to Dropbox (including device info), creating and sharing links with your team, and more.