v1.55
Feb 22, 2023
New and Noteworthy
- Added support for MAC address indicators. MAC addresses can now be used in Indicator Search directly or by pivoting from an alert’s details page.
- Values that comply with IEEE 802 MAC-48, EUI-48, EUI-64, or are a 20-octet IP over InfiniBand link-layer address, are now added to
p_any_mac_addresses
. - The following Panther-managed schemas have been updated to extract MAC addresses:
- AlphaSOC.Alert
- Crowdstrike.DetectionSummary
- Crowdstrike.ManagedAssets
- Crowdstrike.NotManagedAssets
- Crowdstrike.FDREvent
- Juniper.Firewall
- Suricata.DHCP
- Zeek.DHCP
- Values that comply with IEEE 802 MAC-48, EUI-48, EUI-64, or are a 20-octet IP over InfiniBand link-layer address, are now added to
- Panther’s Data Transport integration with Google Cloud Pub/Sub is now generally available and no longer in open beta.
- Use this integration to directly pull log data from Pub/Sub topics.
Schema Changes
- Added several fields to the Cloudflare.HttpRequest and Cloudflare.Firewall schemas.
- Adjustments were also made to Cloudflare schemas to accommodate changes announced by Cloudflare that will result in some fields being renamed or deprecated.
- Added several fields to the Gravitational.TeleportAudit schema.
Enhancements
- Schema inference has been enhanced to infer 14 date formats whether using inference in the Panther Console or pantherlog.
- In the “Data” dashboard tab in the Panther Console, latency values in the “Average Data Latency by Log Type” visualization now display single decimal values.
- Sentinel One CloudFunnel 1.0 log source has been deprecated and replaced with the Cloud Funnel 2.0 source.
- The Query Builder form is now manually collapsible to allow for more vertical space for query results.
- Fuzzy matching in Query Builder for LIKE operators now supports regular wildcards like *. Previously, only Snowflake-specific wildcards like % and _ were supported.
- Updated operator logic to gracefully handle rule filter fields that are
None
so that Panther does not add any implicit logic on top of the operator.
Panther Developer Workflows
- Version 2.1.0 of panther-analysis has been released, featuring new detections for Asana and GitHub as well as an expansion to IPinfo enrichment.
- Version 0.19.17 of panther_analysis_tool has been released, featuring a new option,
--sort-test-results
. With this option, results for all passing tests are printed first, followed by results for failing tests.
Bug Fixes
- The ListUsers API is now able to return SSO users without email addresses.
- Fixed an issue during role creation that redirected the user to resolve validation errors.
- Sorting by “Time Open” in visualizations now sorts by actual time instead of raw string values.
- In the “Data” dashboard tab, the “Total Value Ingested” visualization now returns consistent results.
- Fixed ALB classification errors by adding support for the
grpcs
type.