v3.32.0

What's Changed

🏡 Miscellaneous

• Sync changes from staging repository by @egibs in #1043
• Update how tests are run in test.yml by @egibs in #1053
• new and improved Notion rules for demo by @arielkr256 in #1039
• Updated packs by @melenevskyi in #1038
• adding example inline filter syntax to the rule template by @nkulig in #1044
• [sync] Update rules' references (aws_cloudtrail) (#5) by @egibs in #1056
• [sync] Update rules' references (onepassword) (#6) by @egibs in #1057
• [sync] Update rules' references (onelogin) (#7) by @egibs in #1058
• [sync] Update rules' references (okta) (#8) by @egibs in #1059
• [sync] Update rules' references (gsuite_reports) (#9) by @egibs in #1060
• [sync] Update rules' references (box) (#10) by @egibs in #1061
• [sync] Update rules' references (gsuite_activityevent) (#12) by @egibs in #1062
• [sync] Update rules' references (slack) (#11) by @egibs in #1063
• [sync] updated severity, system user returns info (#38) by @egibs in #1064
• Aws system location hb by @hbenac10 in #624
• build(deps): bump jinja2 from 3.1.2 to 3.1.3 by @dependabot in #1055
• build(deps-dev): bump gitpython from 3.1.40 to 3.1.41 by @dependabot in #1054

Full Changelog: v3.31.0...v3.32.0

v3.31.0

What's Changed

🏡 Miscellaneous

• Add additional panther_config modules to Packs by @egibs in #1042

Full Changelog: v3.30.0...v3.31.0

v3.27.0

What's Changed

🏡 Miscellaneous

• Update GitHub Data Model to display admin-add events instead of UNKNOWN_ROLE by @egibs in #979
• Allow for auto-formatting on save when using VSCode by @egibs in #981
• updated GCP pack with some missing rules by @arielkr256 in #982
• Add linting config to example_settings.json by @egibs in #984
• Update kubernetes_pod_create_or_modify_host_path_vol_mount_query.yml by @dotbeseck in #983
• Add a config system for Panther detections by @jof in #950
• Update Teleport Rules by @jof in #955
• gsuite pack refresh by @arielkr256 in #987
• Moved URL from Description to Reference (microsoft_rules) by @akozlovets098 in #986
• Moved URL from Description to Reference (okta_rules) by @akozlovets098 in #985
• build(deps-dev): bump cryptography from 41.0.5 to 41.0.6 by @dependabot in #980
• Update PAT to 0.34.0 by @egibs in #989

New Contributors

• @akozlovets098 made their first contribution in #986

Full Changelog: v3.26.0...v3.27.0

v3.26.0

What's Changed

🏡 Miscellaneous

• Add threat research team to CODEOWNERS by @egibs in #963
• Update standard_ruleset.yml to include Notion Data Model by @LCMeed in #961
• Update github_secret_scanning_alert_created rule/tests by @egibs in #962
• Snowflake Kubernetes Inital Detection Drop by @sfc-gh-kderevyanik in #965
• Enable Dependabot for GitHub actions by @wadells in #968
• build(deps): bump actions/checkout from 3 to 4 by @dependabot in #969
• build(deps): bump peterjgrainger/action-create-branch from 2.3.0 to 2.4.0 by @dependabot in #970
• build(deps): bump actions/github-script from 6 to 7 by @dependabot in #971
• Teleport: Update Rules by @jof in #966
• Carbonblack passthrough rule by @arielkr256 in #967
• Add rule to detect AWSCompromisedKeyQuarantineV2 policy attachments by @egibs in #964
• k8s pack by @arielkr256 in #974
• Renamed default rule to avoid by @arielkr256 in #975
• k8s queries disabled by default by @arielkr256 in #976
• Update CRYPTO_MINING_DOMAINS IOCs; add two additional tests by @egibs in #973
• Checkout repository with GITHUB_TOKEN by @egibs in #977
• Add rule to alert on known cryptomining ports in VPC flow logs by @egibs in #972
• Revert "Add rule to alert on known cryptomining ports in VPC flow logs" by @egibs in #978

New Contributors

• @sfc-gh-kderevyanik made their first contribution in #965
• @jof made their first contribution in #966

Full Changelog: v3.25.0...v3.26.0

v3.25.0

What's Changed

🏡 Miscellaneous

• Update release Workflow by @egibs in #946
• Fix zeek mappings for greynoise riot basic lut by @rleighton in #945
• Update License in README by @le4ker in #948
• added dynamic severity function and MITRE tags by @arielkr256 in #947
• Add EXCLUDED_BUCKET_NAMES set for aws_cloudtrail_s3_bucket_public.py policy by @egibs in #951
• Adds a check for messages in the response by @grantjoy in #944
• fix selector syntax by @nskobov in #952
• remove deprecated azure.signin related detections by @nskobov in #953
• Add GCP SSO persistence rules by @egibs in #954
• Carbonblack audit rules, part 1 by @arielkr256 in #956
• Update PAT to 0.33.0 by @egibs in #957
• Update release Workflow with GITHUB_TOKEN env var by @egibs in #958
• Update gh release create command by @egibs in #959
• Use --generate-notes for release creation by @egibs in #960

Full Changelog: v3.24.0...v3.25.0

v3.24.0

What's Changed

🏡 Miscellaneous

• adding optional TEST_ARGS to the test targets by @rootshellz in #935
• added MITRE ATT&CK tags to all Slack rules by @arielkr256 in #933
• Set git_config_pull_rebase: true for fork sync step by @egibs in #936
• Auto deploy on Wednesday mornings by @grantjoy in #934
• Updating panther_user_modified to use default severity by @stedrow in #938
• bump shallow_since from 1 month to 5 years to look back to the beginning of git history by @grantjoy in #937
• fix path to CODEOWNERS by @grantjoy in #940
• Add Workflow to automate panther-analysis releases by @egibs in #939
• removing shallow_since by @grantjoy in #941
• Add Pull config by @egibs in #942
• Creating common ancestor commit by @egibs in #943

New Contributors

• @rootshellz made their first contribution in #935
• @stedrow made their first contribution in #938

Full Changelog: v3.22.0...v3.24.0

v3.22.0

What's Changed

🏡 Miscellaneous

• gcp_k8s_rules: fix logic matching irrelevant events by @cheahjs in #928
• Always use the "our" CODEOWNERS by @grantjoy in #927
• ID to Name path change zendesk_data_model.yml by @JPhenglavong in #929
• AWS CloudTrail Password Discovery detection by @natezpanther in #628
• Fix the Zeek selectors in luts by @rleighton in #930
• updated title to use profileId if no email by @arielkr256 in #931
• Update aws_unauthorized_api_call dedup function by @egibs in #932

New Contributors

• @cheahjs made their first contribution in #928
• @JPhenglavong made their first contribution in #929

Full Changelog: v3.21.0...v3.22.0

v3.21.0

What's Changed

🏡 Miscellaneous

• kbailey: rule for phished okta session by @k-bailey in #500
• build(deps): bump requests from 2.28.1 to 2.31.0 by @dependabot in #923
• build(deps): bump urllib3 from 1.26.12 to 1.26.18 by @dependabot in #922
• Move from AGPL to Apache Software License by @egibs in #924
• Update sync-from-upstream.yml GH action from 'master' to 'main' by @AndrewMohawk in #925
• Remove PAT clone from lint-test Workflow by @egibs in #926

New Contributors

• @AndrewMohawk made their first contribution in #925

Full Changelog: v3.20.0...v3.21.0

v3.20.0

What's Changed

🕵️ New Detections

• Tines Rule - Story Jobs Clearance by @josh-panther in #800

🏡 Miscellaneous

• added test case for user modified by System by @arielkr256 in #910
• Expanded Microsoft365.Exchange.External.Forwarding to work with ForwardingAddress property by @ben-githubs in #909
• Fix Standard.ImpossibleTravel.Login by @corrylc in #912
• added default strings to deep_walks by @arielkr256 in #913
• update upstream branch in README by @le4ker in #914
• fixed severity issue for Super admin granted by @arielkr256 in #917
• Template: example_scheduled_query update by @nkulig in #689
• Set severity to INFO if making calendar private by @apanzerj in #904
• saved search for IOCs published by Okta by @arielkr256 in #916
• build(deps-dev): bump werkzeug from 3.0.0 to 3.0.1 by @dependabot in #911
• Up-to-date implementation of #868 by @egibs in #918
• Update global-helpers-unit-test call syntax by @wadells in #903
• Add a helper to retrieve the AWS account ID associated with a given access key ID by @egibs in #920

New Contributors

• @corrylc made their first contribution in #912
• @apanzerj made their first contribution in #904

Full Changelog: v3.19.0...v3.20.0

v3.19.0

What's Changed

🏡 Miscellaneous

• Okta new rules by @arielkr256 in #894
• Added removed workspace.settings line back by @tiffany-leong in #902
• Allow Dependabot to update all pip package sources by @egibs in #905
• build(deps): bump urllib3 from 1.26.17 to 1.26.18 by @dependabot in #901
• Fix typo in slack_privilege_changed_to_user.yml by @bfrisbie-wiz in #870
• replacing set_key_expiration with epoch_seconds field by @maxrichie5 in #892
• Check for GuardDuty sample data by @piercedouglas in #871
• deprecating duplicate impossible travel rules by @arielkr256 in #907
• fixed caching bug by @arielkr256 in #908

New Contributors

• @arielkr256 made their first contribution in #894
• @piercedouglas made their first contribution in #871

Full Changelog: v3.18.0...v3.19.0