Releases: panther-labs/panther-analysis
v3.0.1
v3.0.0
Why a major version change
We've updated the name of the global helper previously known as panther to panther_default.
This change aligns the python module name of the global helper to be the same as the file name which provides the module. With the two names in sync, your IDE's code completion features should be working. If you have already informed your IDE to use global_helpers as an autocomplete and/or analysis path, no action is needed. If you haven't set that up already, there are some vscode specific examples on #691
New Detections
π΅οΈββοΈ new asana service account is created by @andrea-youwakim in #695
Bug Fixes
π new format for AWS resource tags by @calkim-panther in #664
Miscellaneous
π fix: update panther_default global helper use its file name for IDE happiness by @edyesed in #691
π feat: logtype global filter for cloudflare events by @edyesed in #690
π fix: sync policyuniverse version to backend by @edyesed in #699
Full Changelog: v2.2.0...v3.0.0
Contributors
Assets 4
v2.2.0
New Detections
π΅οΈββοΈ Add Dropbox Team Member Linked App Rule by @egibs in #687
Bug Fixes
π Refactor: slack_user_privilege_escalation by @miotke in #686
π Snowflake Query DisplayName Updates by @mbellifa in #682
π tuning: high vol events blocked greynoise by @andrea-youwakim in #688
Miscellaneous
π Bump PAT version to 0.19.6 by @egibs in #684 & #685
New Contributors
Full Changelog: v2.1.0...v2.2.0
Contributors
Assets 4
v2.1.0
New Detections
π΅οΈββοΈ feat: asana new workspace admin detection by @edyesed in #679
π΅οΈ feat: A detection for if a configured github action fails by @edyesed in #681
π― asana pack by @calkim-panther in #670
π¨βπ³ Add IPInfo Privacy enrichment providers by @debugmiller in #680
Bug Fixes
π chore: tune out aws config checking on ec2 traffic mirroring by @edyesed in #678
Miscellaneous
π Deprecated AWS CloudTrail 2 minute count + detection by @natezpanther in #674
π Add helper function for Crowdstrike Detections by @papanikge in #673
Full Changelog: v2.0.1...v2.1.0
Contributors
Assets 4
v2.0.1
New Detections
Bug Fixes
π Update panther_sensitive_role_created.py to handle some NoneTypes by @dotbeseck in #675
Miscellaneous
π fix: bump panther_analysis_tool to 0.19.5 for some additional snyk logs by @edyesed in #677
Full Changelog: v2.0.0...v2.0.1
Contributors
Assets 4
v2.0.0
Why are we upping the major version number to v2?
We received a report and PR from users demonstrating an an unanticipated behavior in the global_helper deep_get.
The scenario is this
- When deep get is called like this
deep_get(event, 'key_that_might_exist', default=Not_None). deep_getmust be called with a default= kwarg whose value is something other than None to enter into the changing behavior.- AND deep_get gets a hit on key_that_might_exist
- AND the value of that key is None
- Old Behavior -> deep_get returns None
- New Behavior -> deep_get returns value of default
This is the scenario where the old behavior and the new behavior lead to different outcomes in a detection:
if event had the following definition
{
"some_key": null,
"another_key": 1
}and the detection has this logic
my_check = deep_get(event, 'some_key', default='')
# At this point the value of my_check is None
# because deep_get did find `some_key` in event
# and the value of `some_key` was None
if my_check is None:
return FalseThen a detection would be incompatible with the new behavior.
This is a scenario where a detection is compatible with the old and new behavior
event has the same definition as above
and the detection has this logic
my_check = deep_get(event, 'some_key', default='')
# At this point the value of my_check is None ( because this example uses the old behavior )
# deep_get did find `some_key` in event
# and the value of `some_key` was None
if not my_check:
return FalseThe detection code directly above will work without modification because my_check is falsey in the old behavior ( my_check had the value of None ) and my_check is falsey in the new behavior ( my_check now returns '' ).
where when deep_get is passed the default= kwarg, and it gets a hit on the search keys where the value of the search key is None
- fix: deep_get should honor default kwarg if the value it retrieves is explicitly None by @edyesed in #672
New Detections
π΅οΈ new rule: alerts when zoom user toggles off org setting to automatically sign out users after a specified period of time by @andrea-youwakim in #660
π΅οΈ new detection: zoom rule to alert when user modifies an organization's sign in methods by @andrea-youwakim in #666
π΅οΈ asana workspace email domain detection by @calkim-panther in #661
π΅οΈ new detection: adding new detection to alert when a zoom user disables an org's setting to require passcodes for new meetings by @andrea-youwakim in #669
π΅οΈ new detection: alerts when a zoom user disables an org's setting to sign in with 2fa by @andrea-youwakim in #676
Bug Fixes
π or π΅οΈ modify cloudtrail policy for advanced selectors by @calkim-panther in #663
π΅ tune: standard_rule/brute_force_by_ip by @edyesed in #667
π΅ unmanaged detections tuning by @calkim-panther in #625
Miscellaneous
π Added support for dictionary values in DynamoDB by @natezpanther in #653
π Change IPInfo refresh frequency to daily by @debugmiller in #668
Full Changelog: v1.54.0...v2.0.0
Contributors
Assets 4
v1.54.0
New Detections
π΅οΈ Introduce detections and rules for Crowdstrike.FDREvent by @papanikge in #648
π΅οΈ new rule: alerts when zoom user toggles Require that all meetings are secured with one security option: from On to Off by @andrea-youwakim in #657
π΅οΈ asana rules by @calkim-panther in #659
Bug Fixes
π fix: minor misspelling in tag by @andrea-youwakim in #656
π In some environments, scheduled_rules could error out even if they are syntactically correct. Disabled scheduled rules by default by @calkim-panther in #662
New Contributors
- @papanikge made their first contribution in #648
Full Changelog: v1.53.0...v1.54.0
Contributors
Assets 4
v1.53.0
New Detections
π― Extends duo, msft365, okta, and zoom packs by @calkim-panther in #650
π΅οΈ Gsuite many download detection by @calkim-panther in #645
Bug Fixes
π github/branch-protection-disabled: add the actor who did the disabling to the alert message by @joemiller in #649
π feat: CloudFlare rules needed tweaking to their dedup and titles. by @edyesed in #654
π feat: update panther_analysis_tool to v0.19.1, which has a bulk-upload bugfix that is important by @edyesed in #655
Miscellaneous
π¨ π¨ FYI: the alert_context has updated on CloudFlare detections π¨ π¨
Full Changelog: v1.52.0...v1.53.0
Contributors
Assets 4
v1.52.0
New Detections
π΅οΈββοΈ AWS discovery Rules by @hbenac10 in #621
π΅οΈ T1499:TA0040 Endpoint DoS Query + Detection by @natezpanther in #615
π― finishing up packs work, adding tested policies to prod by @andrea-youwakim in #652
Bug Fixes
π fix: There was a bug in Standard.MFADisabled where okta users resetting MFA factors(s) were getting marked as MFA Disabled by @edyesed in #651
π Fix example lookup table yml by @dashaaa in #638
Miscellaneous
π IPinfo datalake LUTs by @debugmiller in #639
Full Changelog: v1.51.0...v1.52.0
Contributors
Assets 4
v1.51.0
New Detections
π΅οΈββοΈ Calkim duo detections by @calkim-panther in #637
π― feat: adding already existing and tested policies to aws pack in prod by @andrea-youwakim in #644
Bug Fixes
π fix: github_advanced_security detection had some confusing title text by @edyesed in #630
π fix: eks_source_ip_multiple403s was triggering on naive web-scanners. so many naive web scanners. by @edyesed in #643
Miscellaneous
π fix: tune aws_iam_user_recon_denied down to Info level by @edyesed in #632
π fix: set default state to disable for aws_modify_cloud_compute_infra. change severity to Medium. remove from AWS pack by @edyesed in #633
π fix: deprecates aws_snapshot_backup_exfiltration in favor of aws_snapshot_made_public by @edyesed in #634
π fix: update GSuite.DriveVisibility to more explicitly demonstrate that it needs configuration by @edyesed in #635
π chore: update panther_analysis_tool and GitPython by @edyesed in #647
Full Changelog: v1.50.1...v1.51.0