v1.62

Now Generally Available

• Quickly construct, save, tag, and edit queries to search your data lake with the Query Builder in the Panther Console.
  • Use the Query Builder, catered to users without extensive SQL knowledge, to easily search your security data.
  • Query Builder is an effective alternative to using Data Explorer to perform common searches.
• Expanded editing capabilities for custom schemas and added the ability to archive unused schemas in the Panther Console. Use the archive feature to reduce schema clutter and prevent unintentionally selecting unused schemas.
• Onboard SentinelOne Cloud Funnel 2.0 logs with the SentinelOne log puller. Use this integration to monitor XDR and EDR data.

In Open Beta

• Added support for GitHub Enterprise Cloud audit log streaming.
• Onboard Bitwarden logs with the Bitwarden log puller. Use this integration to monitor events that occur in Bitwarden Teams or Enterprise organizations.
• Onboard SentinelOne API activity logs with the SentinelOne log puller. Use this integration to monitor SentinelOne activities.

Schema Changes

• A new indicator field, p_any_actor_ids, is now available for all schemas. It provides a Panther-managed field containing actor identifiers.

Enhancements

• In the Panther Console, the following enhancements have been made to Alert Details:
  • Custom enrichment is now aligned vertically for better readability.
  • Improved the handling of nested enrichment data.
• Bulk and individual downloads now wrap name and ID YAML fields in double quotes to better accommodate special characters in those fields.
  • panther-analysis YAML files have been updated to match this new format.
• The schema inference process now infers emails and MD5, SHA-1, and SHA-256 hashes.

Panther Developer Workflows

• Version 0.20.0 of panther_analysis_tool has been released, featuring the following updates:
  • Added a test to validate whether table names in queries match the pattern <string>.public.<string> or snowflake.account_usage.<string>. This validation can be disabled by supplying the --ignore-table-names argument.
  • Added a warning message that alerts when the running version of PAT is out of date and an update is available.

Bug Fixes

• Added validations for fields stored in p_any_domains to avoid storing ”.” values.
• Fixed a bug that caused the s3sns tool to block indefinitely in case of an error.
• Resolved various issues with Data Replay on the Edit Detections page.