v1.39.0

New Detections

🕵️ microsoft graph passthrough in #544
🕵️ detection for EC2 *Image* cloudtrail events relating to ATT&CK T1204 in #545
🕵️ detection for IAM Identity modifying the userProfile of another without setting the must reset password bit relating to ATT&CK T1550 in #548
🌯 update gsuite pack to include data model in #552

Bug Fixes

🐛 gsuite drive visibility title bug #543
🐛 guardduty context in #535
🐛 Potential typo prevents tests from passing in okta_password_accessed detection by @fr0mdual in #546
🐛 fix: get_val_from_list would raise an error if the comparison key was not in the input item of the list in #547 ( revealed by #546 )
🐛 fix: dedup aws_iam_user_key_created based on the userIdentity.arn to group by source identity in #549

Miscellaneous

🏠 fix: Default behavior of our python environment should be to use the Pipfile.lock specified versions in #541
🏠 feat: allow gsuite admins to provide an allow-list of applicationNames for when google is the IdP for a saml app in #542
🏠 docker support for windows environments in #538
🏠 fix: remove all references to ast.literal_eval in #551

Full Changelog: v1.38.1...v1.39.0

v1.38.1

New Detections

No new detections
🌯 Crowdstrike detections are now surfaced as a pack via a new pack from #540

Bug Fixes

Miscellaneous

Full Changelog: v1.38.0...v1.38.1

v1.38.0

New Detections

🕵️ EC2 CRUD Activities via #507
🕵️ EC2 EBS Default Encryption settings changes via #523
🕵️ EC2 Startup Script/user-data changes via #523
🕵️ IAM User AccessKey created for another user via #523
🕵️ IAM SAML Settings changed via #523
🕵️ EC2 Snapshot setting modified via #523
🕵️ AWS Region should not be used via #531
🕵️ EC2 Modifications happening outside of automation via #532
🕵️ AWS WAF WebACL dis-associated from resource via #532
🕵️ MSFT Graph passthrough detections via #530

Bug Fixes

🐛 Some detections had print() statements. These print() have been removed and we now lint to confirm that they are not present via #533
🐛 MITRE Technique association fix for AWS WAF WebACL dis-associated from resource via #532
🐛 Adding default values into the deep_get function call used by the IAM Keys Created For Another User detection and a comparison tweak via #537

Miscellaneous

🏠 Cloudtrail eventSource and awsRegion added to default alert context for cloudtrail detections via #531

Full Changelog: v1.37.1...v1.38.0

v1.37.1

What's Changed

• Remove tor exit nodes lut until Panther 1.45

Full Changelog: v1.37.0...v1.37.1

v1.37.0

New Detections

🕵️‍♂️ AWS VPC Cryptominer DNS query detection
🕵️‍♂️ AWS Macie Evasion
🕵️‍♂️ ECR and Lambda CRUD detections
🕵️‍♂️ Tor Exit Nodes Panther Managed LUT

Bug Fixes

🐛 box_parse_additional_details could raise an error when trying to json.loads

Full Changelog: v1.36.1...v1.37.0

v1.36.1

Bug Fixes

🐛 Fixed typo in GCP Rules causing issues with Summary Attributes

Full Changelog: v1.36.0...v1.36.1

v1.36.0

New Detections

🕵️‍♂️ Added Sigma AWS Detections
🕵️‍♂️ Okta Password Access detection

New Features

⚡ Github workflow to sync a form to upstream weekly.

Bug Fixes

🐛 Fix primary key issue in Greynoise
🐛 Deprecate unusual login detection

Full Changelog: v1.35.4...v1.36.0

v1.35.4

New Detections

Bug Fixes

🐛 The snowflake pack was bringing unexpected results via internal QA, so we're removing it for now via #503

Miscellaneous

Full Changelog: v1.35.3...v1.35.4

v1.35.3

New Detections

Bug Fixes

🐛 There was a grammatical error in the SQL in the snowflake pack ( double comma ) addressed by #501

Miscellaneous

Full Changelog: v1.35.2...v1.35.3

v1.35.2

New Detections

Bug Fixes

🐛 Previous SnowFlake Pack was incomplete, #499 updates this snowflake pack to be complete.

Miscellaneous

Full Changelog: v1.35.1...v1.35.2