v1.51

New and Noteworthy

• Quickly construct queries to search your data lake with the new Query Builder in the Panther Console, now available in open beta.
  • Use our new visual query builder, catered to users without extensive SQL knowledge, to easily search your security data.
  • Query Builder is an effective alternative to using Data Explorer to perform common searches.
  • Access the Query Builder in the Console by logging in and navigating to Investigate > Query Builder. 
• IPinfo data is now available to query in the data lake. Use our newly-added helper functions to enrich IP addresses in Data Explorer and construct Scheduled Queries.
• Added a schema for Cloudflare audit logs.
  • Use this schema with our Cloudflare log source integration to normalize Cloudflare audit logs for use with Panther.
• The improved version of the Log Source overview page in the Panther Console is now available to all customers. This new version includes:
  • A new Configuration tab with source and AWS account information.
  • Additional overview stats for total data ingested and the percent of total data ingested compared to all log sources.

Enhancements

• Added the following enhancements to the Slack Bot Alert Destination:
  • Added the applicable country flag and location information next to an IP Address after a user clicks “Show Alert Details.”
  • Added threat intel information to Slack Bot alerts, when applicable.
    • If the See Threat Intel button is present on an alert, one or more Summary Attributes associated with the alert (such as geographic location or ASN) can be analyzed for threat intelligence.
    • Once the See Threat Intel button is clicked, a modal will prompt you to select a value to analyze.
  • Slack Bot Boomerang questions and responses will now be captured in both the Slack Alert message thread as well as comments in the Panther Console within the Alert History. 
• When inferring a schema from sample logs in the Panther Console, Panther will now attempt to infer multiple timestamp formats.
• strftime timestamps in Panther now support nanosecond granularity.

In Closed Beta

• Added several improvements to the more permissive Custom Schema editing beta.
  • The code editor in the Console now tracks and highlights changes, including additions and deletions.
  • Added a diff view option to the code editor.
  • Added contextual links to the top of the code editor that display detections and queries that will be impacted by changes made to the schema.

Schema Changes

• The activityType and id fields are now required when using the SentinelOne API Activity log schema (SentinelOne.Activity).

Panther Developer Workflows

• Versions 0.19.0 and 0.19.1 of panther_analysis_tool have been released.
  • Added a new –batch parameter that can be added to upload commands. This will split uploads into multiple pieces, which will prevent some timeout issues from occurring. Version 0.19.1 introduced improvements to this parameter.
  • Read more on GitHub.
• Version 1.51.0 of panther-analysis has been released.
  • Added new detections for Duo as well as other miscellaneous fixes and changes.
  • Read more in the release notes on GitHub.

Other Changes

Panther periodically runs a set of queries against customer Snowflake accounts to determine the general system health of the data lake. These queries include:

• Checking each table’s COPY_HISTORY for errors in file uploads to Snowflake via SNOWPIPE. This includes logs, rule matches, rule errors, and cloud security scan data.
• Ensuring that all SNOWPIPES for Panther data sources are in a running state, and all external stages are in a good state.

These monitoring runs are performed approximately every three hours. Any errors detected in a monitoring run are sent to Panther’s internal ticketing system where they are triaged and remediated.

Prior to v1.51, the results of these monitoring sweeps were also written to the following tables in every customer’s Snowflake account. As of v1.51 and beyond this has been discontinued.

• PANTHER_MONITOR.PUBLIC.LOAD_HISTORY
• PANTHER_MONITOR.PUBLIC.LOAD_MONITOR
• PANTHER_MONITOR.PUBLIC.MONITOR
• PANTHER_MONITOR.PUBLIC.MONITOR_HISTORY
• PANTHER_MONITOR.PUBLIC.MONITOR_LOGS
• PANTHER_MONITOR.PUBLIC.PIPE_HISTORY
• PANTHER_MONITOR.PUBLIC.PIPE_MONITOR
• PANTHER_MONITOR.PUBLIC.TABLE_HISTORY

These tables will be deleted in a future release, and should not be referenced in any saved or scheduled queries.

Bug Fixes

• Panther now supports S3 Object Keys with duplicate slash ‘/’ characters.
• Fixed a bug with SQS log sources that showed 0 bytes received and 0 events despite data being ingested.