v1.52

New and Noteworthy

• Expanded editing capabilities for custom schemas in the Panther Console. You can now rename and delete fields, as well as edit a field’s type property.
  • See additions, edits, and subtractions via the visual code editor and roll back changes if needed. 
  • The editor will also provide information about detections and saved queries that are impacted by changes you make to a schema.
  • This feature is now available to all Panther customers in open beta.
• Panther’s Slack Bot Alert Destination now supports multiple channels.
  • You can use the same secrets and tokens to add multiple destinations to the same Slack Bot integration in your Slack Workspace. 
• Simplified using CrowdStrike logs with Panther by associating all Crowdstrike Falcon Data Replicator events with a new, single schema: CrowdStrike.FDREvent.
  • By default, newly set up CrowdStrike log sources and S3 sources ingesting CrowdStrike data will use this schema. 
  • Previously configured schemas for CrowdStrike will continue to function as initially set up. If you want to transition to the new CrowdStrike schema, please let us know and we will assist you with the necessary changes.
• Panther’s SentinelOne Cloud Funnel 2.0 log puller is now available to all customers in open beta. 
• Revamped and improved the Alert Details page for individual alerts in the Panther Console.
  • Added enrichment information for alert events. This includes custom lookup table enrichment as well as information available from our integration with GreyNoise.
  • For JIRA, Asana, and Slack Bot Alert Destinations, the Alert Detail page will now provide a link to the Alert in the corresponding external system.

In Closed Beta

• Added support for GitHub Enterprise Cloud audit log streaming.
• Added support for Bitwarden as a log source. Use this integration to monitor events that occur in Bitwarden Teams or Enterprise organizations. 

If you would like to participate in the closed beta for either of these features, please let Panther support or your Panther account representative know.

Enhancements

• Added the option to render all times in the Panther Console in UTC. This toggle is located in the General settings menu on the Main Information tab.
• Added stream type selection when inferring a schema from a sample log on the schema creation page.
• Improved handling when a nonexistent user is assigned to an Alert using the Panther API.
  • When attempting to assign an error to a user that does not exist, the endpoint will now respond with a 4xx error indicating that the user does not exist and the current assignee for the alert will not change.
• Panther now generates audit logs in the Panther Console for actions taken within a Slack Bot alert. This includes:
  • When a user sets the assignee or status on an alert.
  • When a user clicks Show Alert Details on an alert.
  • When a user changes the alert status to Resolved or Invalid, enters a comment, then clicks Submit.
• Query Builder and Data Explorer now display the result count when a query is successfully executed.
• The event time recorded for AWS.Config logs is now the time that the snapshot was created, instead of ConfigurationItemCaptureTime.
• The IsPublic attribute is now available on the S3 bucket model in Panther.

Panther Developer Workflows

• Versions 1.52.0 and 1.53.0 of panther-analysis have been released.
  • Added new detections, IPinfo Lookup Tables, as well as other miscellaneous fixes and changes.
  • Read more in the release notes on GitHub.

Bug Fixes

• Improved text length guards for content sent to Slack Bot alert destinations.
• Reduced the likelihood of alert delivery retries by recording some delivery information asynchronously.