New and Noteworthy

• Added support for MAC address indicators. MAC addresses can now be used in Indicator Search directly or by pivoting from an alert’s details page.

  • Values that comply with IEEE 802 MAC-48, EUI-48, EUI-64, or are a 20-octet IP over InfiniBand link-layer address, are now added to p_any_mac_addresses.

  • The following Panther-managed schemas have been updated to extract MAC addresses:

    • AlphaSOC.Alert

    • Crowdstrike.DetectionSummary

    • Crowdstrike.ManagedAssets

    • Crowdstrike.NotManagedAssets

    • Crowdstrike.FDREvent

    • Juniper.Firewall

    • Suricata.DHCP

    • Zeek.DHCP

• Panther’s Data Transport integration with Google Cloud Pub/Sub is now generally available and no longer in open beta.

  • Use this integration to directly pull log data from Pub/Sub topics.

Schema Changes

• Added several fields to the Cloudflare.HttpRequest and Cloudflare.Firewall schemas.

  • Adjustments were also made to Cloudflare schemas to accommodate changes announced by Cloudflare that will result in some fields being renamed or deprecated.

• Added several fields to the Gravitational.TeleportAudit schema.

Enhancements

• Schema inference has been enhanced to infer 14 date formats whether using inference in the Panther Console or pantherlog. 

• In the “Data” dashboard tab in the Panther Console, latency values in the “Average Data Latency by Log Type” visualization now display single decimal values.

• Sentinel One CloudFunnel 1.0 log source has been deprecated and replaced with the Cloud Funnel 2.0 source.

• The Query Builder form is now manually collapsible to allow for more vertical space for query results.

• Fuzzy matching in Query Builder for LIKE operators now supports regular wildcards like * Previously, only Snowflake-specific wildcards like % and _ were supported.

• Updated operator logic to gracefully handle rule filter fields that are None so that Panther does not add any implicit logic on top of the operator. 

Panther Developer Workflows

• Version 2.1.0 of panther-analysis has been released, featuring new detections for Asana and GitHub as well as an expansion to IPinfo enrichment. 

• Version 0.19.17 of panther_analysis_tool has been released, featuring a new option, --sort-test-results. With this option, results for all passing tests are printed first, followed by results for failing tests.

Bug Fixes

• The ListUsers API is now able to return SSO users without email addresses.

• Fixed an issue during role creation that redirected the user to resolve validation errors.

• Sorting by “Time Open” in visualizations now sorts by actual time instead of raw string values.

• In the “Data” dashboard tab, the “Total Value Ingested” visualization now returns consistent results.

• Fixed ALB classification errors by adding support for the grpcs type.