v1.17.0: Lacework YAML schemas (#267)

This release contains a number of bug fixes, some detection tuning, and templates.

• Bug Fixes (#227, #241, #254, #260, #259)
• Detection Tuning (#244, #250)
• Addition of rule templates (#248)

v1.16.1: Weyland automation test debug (#222)

This release contains a number of bug fixes and some re-factoring work to standardize our detections. As we move forward with the packs feature, we are attempting to further standardize the out of the box detections to all follow the same patterns.

Test Managed Schema updates

A release to test updates of managed schemas.
Will be removed once the test is completed.

v1.16.0: Added packs directory

Tuning rules and adding initial detection pack! Change list below

• Updated license (#190)
• Rule Bug Fixes (#191, #193)
• Update to gsuite titles to include relevant document title (#196)
• Add initial detection pack (#192)

v1.15.0: Added DataModels and Standard Rules

Added support for data models as well as a few standard rules that use them! Change list below.

• Added initial set of data models and standard rules (#156)
• Fix some rule logic bugs (#163, #171, #176, #178, #188)
• Updates to rules/policies to use new features and misc cleanup (#161, #169, #172, #173, #175, )
• Update boto connections to optionally be FIPS compliant (#177)
• Initial sync of panther-managed schemas into panther-analysis (#187)

v1.14.0: Added support for IOCs

Added new global helper function to support Indicators of Compromise!

Includes the SolarWinds SUNBURST indicators released by FireEye

Users looking to only update with the new IOCs support can simply use the panther-analysis-iocs.zip included in the release!

v1.13.0: Don't alert if access is denied to S3 putbucket. (#153)

Another round of tuning & bug fixes!

v1.12.0: Added example of regex checking for IAM arns (#144)

More tuning and more rules. Plus some threat hunting scenario data! Change list below.

• Updated some policies to reflect changes in the Panther backend (#1320)
• Refined rule logic to capture more bad behavior (#133, #144)
• Tuning to reduce noise (#135, #136, #139, #145)
• Fixing some rule logic bugs (#138, #140, #142)
• New helpers for interacting with the box sdk (#137). Some additional setup is required to use these!
• Threat hunting demo events! Great for testing out known scenarios and how your team might react to them (#141, #143)

v1.10.0: box initial ruleset (#127)

Lots of good new stuff, including a slew of bug fixes and noise reduction. The big new features are:

• Rules for OneLogin and Box
• Add the new SummaryAttributes field to all rules
• Simplifying rules by:
  • Omitting the dedup function when the title function is sufficient
  • Using the Threshold field to simplify basic stateful detections

We highly recommend updating to take advantage of these new features!

v1.7.0

Adding some new rules and a round of documentation & bug fixes.