Jun 22, 2023

New and Noteworthy

  • Added the ability to create, read, update, and delete S3 log sources via the Panther API. This new feature makes it easier to manage large numbers of S3 log sources or infrastructure-as-code. This feature is available to all customers in open beta.

In Open Beta

  • Onboard Netskope audit logs with the new Netskope log puller. Use this integration to monitor events within your Netskope instance.

In Closed Beta

  • Test out Panther’s streamlined detection editor in the Panther Console.
    • Consolidated the view and edit functionality into a single pane on a Detection page, enabling users to tune detections more quickly. The Alert Settings and Test sections have also been incorporated into the page. 
    • Alert settings under “Set Alert Fields” now include the Alert Severity and Framework Mapping.
    • Added a persistent header with access to additional information, including MITRE ATT&CK details and a change log.
    • To participate in this closed beta, contact your Panther representative.
  • Manage Panther roles with the new Okta System for Cross-domain Identity Management (SCIM) integration. This feature allows you to automatically manage roles, update profiles, and activate or deactivate users through Okta.
    • To participate in this closed beta, contact your Panther representative.
  • You can now select databases and tables when using Indicator Search in the Panther Console. This can dramatically speed up searches when using parameters to narrow a search query.
    • To participate in this closed beta, contact your Panther representative.
  • Added the ability to enable user profiles for Google Workspace logs. This allows you to pull user profiles into Panther-managed Lookup Tables and set the refresh period for retrieving profile updates.

Schema Changes

  • Azure.SignIn now supports the following logs from the Azure Active Directory:
    • NonInteractiveUserSignInLogs
    • ServicePrincipalSignInLogs
    • ManagedIdentitySignInLogs


  • In the Panther Console, when onboarding or editing a log source, the number of steps in the process has been reduced and the navigation has been moved to the top of the page for ease of use.
  • You can now upload SAML metadata files directly through the Panther Console. In previous versions of Panther, you were required to provide an identity provider URL.
  • The processing limit for SQS Source Data Transports, previously 1 MiB/second, has been removed.

Panther Developer Workflows

  • Versions 3.8.0, 3.8.1, 3.8.2, and 3.8.3 of panther-analysis have been released, featuring the following updates:
    • Added new detections for Auth0, CrowdStrike, GCP, GitHub, and Tines.
    • Added a new rule, GitHub.Org.Moderators.Add, to the GitHub Detection Pack.
    • Various bug fixes.