Panther Labs Panther Versions Save

Major Highlights

• (Enterprise) Scheduled Rules: Users can now schedule SQL queries to run against historical data and generate alerts. This enables correlations across data types, windowed based analysis, and more. Learn more here.
• (Enterprise) Query History: Users can view their query execution history and rerun past queries in the Panther user interface. Learn more here.
• Detection Packs: Users can now view, enable, and update "packs" of high-value Panther-managed detections to simplify detection management. Learn more here.

Enhancements:

• Configurable Cloud Scanning: Users can now configure Cloud Security sources to exclude specific regions and/or resource types from being scanned.
• (Enterprise) Support for Non-Enterprise, Paid Slack Plans: Users with non-Enterprise, Paid Slack plans can now onboard Integration and Access logs through the Slack log puller. Read more here.
• Alert Route by Type in Destination Page: Users can now map default destinations for either Rule or Policy Detections.
• Unified Detections Page: Writing and searching Rules, Policies, and now, Scheduled Rules, have been consolidated into a new top-level Detections page.
• Unified Alerts Page: Similar to the change above, all generated alerts for these new detection types have been placed into a new, top-level alerts page that displays all alert types.
• Added health check for s3 sources: the health check is only available in sources created in Panther instances on version 1.16.0 or higher because it needs an extra s3 permission (s3.ListBucket). This permission is added in the provided CloudFormation template for an s3 source in this Panther version. (note: users who have onboarded S3 as a log source prior to 1.16 will have to delete and re-create the log source)
• Reduce Cloud Security page load times: for accounts with either large numbers of resources or high resource churn, we've improved Cloud Security resources page load times by reducing the TTL of deleted resources in Dynamo and implementing more efficient table querying.

Bug Fixes

• VPC Flow logs parser outputs invalid data: this fixes reports of seeing invalid accountIDs in VPC Flow Logs data.
• Cloud Security scanner only handles some rate limit errors: the Cloud Security scanner now has the logic needed to handle more rate-limiting errors.
• Panther fails for 0 size files: Panther log processor will no longer fail if it encounters a 0-size file in S3.

Upgrade Notes

Before upgrading to 1.16.0:

• Panther customers using Snowflake backends need to re-run the database creation and grants commands, steps 3 and 4 here. This grants access to the Audit database which is provided by Snowflake to each customer. The new grants provide Panther with the ability to access and monitor login, grants, query, and unload commands within the Snowflake platform.

Bug Fixes

• Fixes an issue which adds new fields to GCP Audit logs.
• Fixes an issue to handle RegionIgnoreList errors better.

See https://github.com/panther-labs/panther/releases/tag/v1.15.0 for the full release notes and migration information

Bug Fixes

• Fixes an issue in the sources-api which prevented some upgrades from completing normally
• Fixes an issue with multi region scans
• Fixes an issue where Alerts older than 30 days would fail to serialize properly (and load in the UI) when configured with Snowflake

See https://github.com/panther-labs/panther/releases/tag/v1.15.0 for the full release notes and migration information

Important

This release has been removed from publication, please use 1.15.2 instead

Bug Fixes

• Fixed enabled and ignore list options when onboarding a cloud security source. These are currently "hidden" backend settings that aren't yet shown in the UI, so most users do not need this patch

See https://github.com/panther-labs/panther/releases/tag/v1.15.0 for the full release notes and migration information

Important

This release has been removed from publication, please use 1.15.2 instead

Highlights

• Create and maintain universal data models in the UI that can be referenced when writing new rules and policies in the Python editor
• Manage, update, and delete custom log schemas in Panther
  • Custom log schema generation script: analyzes custom schema logs and produces a suggested YML structure that can be reviewed, edited, and saved
• Improved S3 onboarding: specify multiple prefix log types mapping per onboarded s3 source
• Policy-based alerts: See alerts generated by failed cloud security policies
• Dynamic alert fields: Dynamically set the severity of an alarm to route alarms on critical and production resources to monitored Slack channels or kick off related workflows
• Added support for new log types: AWS VPC DNS
• [Enterprise only] Snowflake Health Monitoring: Add basic file-level load validation in Snowflake to check if staged files are actually making it into Snowflake or not
• [Enterprise only] Autodetect in Indicator Search: A new field option in Indicator Search called “Autodetect Type” that automatically detects the type of field entered into the Indicator Search
• [Enterprise only] Duo log puller
• [Enterprise only] Store Cloud Security Resource History in Data Lake - Resource history is now stored in the data lake alongside the processed logs to make resources queryable by Data Explorer

Warnings

If you are hosting your own deployment of Panther, there is a very important step to take before upgrading to avoid an upgrade failure. You need to manually check the panther-source-integrations table in DynamoDB and remove any entries that don't have the integrationType field defined. This has been fixed in v1.15.2.

Events in Python rules are now immutable - making changes to an event in a policy or rule will result in a Python exception

Migration Notes

Before upgrading to 1.15.0:

1. The deployment role needs to be updated first if you use it
2. Panther customers using Snowflake backends need to re-run the database creation and grants commands, steps 3 and 4 here

Bug Fixes

• [Enterprise] SSO logins are redirected to the original Panther page request
• [Enterprise] Snowflake array types are now supported in the JSON data explorer view
• [Enterprise] Fix edge case pulling GSuite logs
• [Enterprise] Restore Parquet support for empty maps/arrays
• [] values in Umbrella.DNS logs are now handled correctly

Security Fixes

• Update base image in web assets server from node:13.2-alpine to node:14.15-alpine, which resolves an SSL vulnerability

Bug Fixes

• Alert text search now works as expected

Migration Notes

See v1.14.0

Bug Fixes

• [Enterprise] Indicator search now generates the correct SQL statement for Snowflake

Migration Notes

See v1.14.0

Highlights

• [Enterprise] Add a timeline chart to the indicator search
• [Enterprise] Data Explorer can now view results as JSON
• Panther is now fully supported in 15 different AWS regions
• New design for S3 onboarding workflow

Bug Fixes

• Rule syntax errors now show in the UI as an alert
• Fixes to time series charts
• Small fixes to sorting and filtering of rules, policies, and alerts

Migration Notes

• The Panther deployment role has changed; if you are using this role, please update the role before updating Panther

See the milestone for the full changelog.

Highlights

• Rule Errors: View generated Python errors from detections, see the associated events, and receive “Rule Error” alerts
• Alert Management: Apply status updates on alerts in bulk

Bug Fixes

• Proper extraction of AWS domains from CloudTrail Events
• [Enterprise] Fixed an issue where Custom Log arrays generated bad schema errors in AWS Glue

Improvements

• Improvements in the onboarding flow for all log analysis sources
• Log Processing now handles partial failures better
• Rules now show you destinations where alerts will be dispatched to
• [Enterprise] You can now define an indicator inside an array

Migration Notes

• When deploying from source (panther-community), please be sure to run mage clean setup before performing the upgrade
• If you have a custom PipLayer defined in panther_config.yml or you provide your own python layer, ensure jsonpath_ng is added to the list of libraries. See this for additional details.

See the milestone for the full changelog.