Jan 24, 2023

New and Noteworthy

  • Quickly construct queries to search your data lake with the new Query Builder in the Panther Console, now available in open beta.
    • Use our new visual query builder, catered to users without extensive SQL knowledge, to easily search your security data.
    • Query Builder is an effective alternative to using Data Explorer to perform common searches.
    • Access the Query Builder in the Console by logging in and navigating to Investigate > Query Builder
  • IPinfo data is now available to query in the data lake. Use our newly-added helper functions to enrich IP addresses in Data Explorer and construct Scheduled Queries.
  • Added a schema for Cloudflare audit logs.
  • The improved version of the Log Source overview page in the Panther Console is now available to all customers. This new version includes:
    • A new Configuration tab with source and AWS account information.
    • Additional overview stats for total data ingested and the percent of total data ingested compared to all log sources.


  • Added the following enhancements to the Slack Bot Alert Destination:
    • Added the applicable country flag and location information next to an IP Address after a user clicks “Show Alert Details.”
    • Added threat intel information to Slack Bot alerts, when applicable.
      • If the See Threat Intel button is present on an alert, one or more Summary Attributes associated with the alert (such as geographic location or ASN) can be analyzed for threat intelligence.
      • Once the See Threat Intel button is clicked, a modal will prompt you to select a value to analyze.
    • Slack Bot Boomerang questions and responses will now be captured in both the Slack Alert message thread as well as comments in the Panther Console within the Alert History. 
  • When inferring a schema from sample logs in the Panther Console, Panther will now attempt to infer multiple timestamp formats.
  • strftime timestamps in Panther now support nanosecond granularity.

In Closed Beta

  • Added several improvements to the more permissive Custom Schema editing beta.
    • The code editor in the Console now tracks and highlights changes, including additions and deletions.
    • Added a diff view option to the code editor.
    • Added contextual links to the top of the code editor that display detections and queries that will be impacted by changes made to the schema.

Schema Changes

Panther Developer Workflows

Other Changes

Panther periodically runs a set of queries against customer Snowflake accounts to determine the general system health of the data lake. These queries include:

  • Checking each table’s COPY_HISTORY for errors in file uploads to Snowflake via SNOWPIPE. This includes logs, rule matches, rule errors, and cloud security scan data.
  • Ensuring that all SNOWPIPES for Panther data sources are in a running state, and all external stages are in a good state.

These monitoring runs are performed approximately every three hours. Any errors detected in a monitoring run are sent to Panther’s internal ticketing system where they are triaged and remediated.

Prior to v1.51, the results of these monitoring sweeps were also written to the following tables in every customer’s Snowflake account. As of v1.51 and beyond this has been discontinued.


These tables will be deleted in a future release, and should not be referenced in any saved or scheduled queries.

Bug Fixes

  • Panther now supports S3 Object Keys with duplicate slash ‘/’ characters.
  • Fixed a bug with SQS log sources that showed 0 bytes received and 0 events despite data being ingested.

Previous Releases

v1.50 Jan 10, 2023
Pull AWS Transit Gateway Flow logs with Panther’s new AWS Transit Gateway Flow log puller.
v1.49 Dec 13, 2022
Panther’s Slack Bot, an alert destination that allows you to interact with alerts directly in Slack, is now available in open beta to all customers.
v1.48 Nov 29, 2022
Updated the Panther Console UI with improved contextual information to help users understand where they are at a glance.