v1.35.1

New Detections

🌯 We created a pack for snowflake detections (#495). Note: no additional detections in the

Bug Fixes

🐛 (#496) Reverts (#486) "bug: GreyNoise last_seen attribute had been referenced by a non-extant field name. update to an extant field

Miscellaneous

Full Changelog: v1.35.0...v1.35.1

v1.35.0

New Detections

🕵️‍♂️ GitHub recently added logging for their Advanced Security Tools (Dependabot and Secret Scanner). This rule watches for all of the possible indications these tools have been disabled. #489
🕵️‍♂️ 0ktapus detection based on p_any_domain_names #490

BugFixes

🐛 GreyNoise Advanced last_seen function now returns last_seen. Previously last_seen would have returned None #486
🐛 If you had an advanced GreyNoise subscription, the detection rules/aws_cloudtrail_rules/aws_s3_activity_greynoise.py could have raised an exception which would have generated a Panther System Error #488
🐛 The detection for EC2 Instance Detailed Monitoring Enabled has historically alerted on all EC2 lifecycle states. We've reduced this to only Pending and Running lifecycle states #492

Miscellaneous

📈 We updated all linter versions to latest #485
🏠 We removed dependencies on the panther_analysis_tool python library for housekeeping #487
🏠 A long-running PR brought in a detection at the root of the repo, and this was moved to be under the rules/ directory as per release v.1.34.0 #491

v1.34.0

New Detections

• 🕵️‍♂️ A community submitted detection for gcp.org.folder changes

BugFixes

• 🐛 The GCP Data Model now correctly identifies users and roles thanks to a community submitted bug fix #480
• 🐛 The AWS.S3.GreyNoiseActivity detection had a typo in a function call, which was reachable with an advanced greynoise subscription #479

Miscellaneous

• 🗂 Queries, Rules, and Policies have been reorganized under top-level directories.
• ✏️ We have established a linting requirement via make lint to conform to the black python code formatter in order to make code style more consistent. If you want to establish this in your local fork for files that aren't part of panther-analysis mainline, you can run make fmt

v1.33.1

• Slack and Cloudflare detections are now available in packs
• Added alert context to AWS detections that did not previously have them
• Modified the Cloudflare L7 DDoS to not alert on blocked events
• Removed managed schemas

v1.33.0

• New Slack detections and data models
• Added workaround for Identity Providers AWS Console Login without MFA
• Added exclusion for Panther IAM roles in the AWS S3 Activity - Greynoise detection
• New detection for AWS IAM Role - External Permission
• Fixed GSuite summary attributes
• Improved alert titles for GSuite Rule Triggers
• Added template for CIDR lookup

v1.32.0

• Added new CloudFlare detections
• Added Confluence 0-Day IOCs
• Removed workaround for global helper importing order
• Updated Greynoise reference links
• Update to MITRE ATT&CK mappings to align with the MITRE heatmap feature

v1.31.0

• Add Panther Audit Log Detections
• Update AWS Pack with missing Helper
• Add GCP Helpers
• GreyNoise Enhancements

v1.30.0

• Map all prebuilt detections to MITRE ATT&CK
• Update to use Python 3.9
• Various bug fixes

v1.29.1

• Add missing helper to Greynoise pack def

v1.29.0

• Add Support for Packs
• Add GreyNoise Integration for Panther 1.32