Releases: panther-labs/panther-analysis
v2.1.0
New Detections
🕵️♂️ feat: asana new workspace admin detection by @edyesed in #679
🕵️ feat: A detection for if a configured github action fails by @edyesed in #681
🌯 asana pack by @calkim-panther in #670
👨🍳 Add IPInfo Privacy enrichment providers by @debugmiller in #680
Bug Fixes
🐛 chore: tune out aws config checking on ec2 traffic mirroring by @edyesed in #678
Miscellaneous
🏠 Deprecated AWS CloudTrail 2 minute count + detection by @natezpanther in #674
🏠 Add helper function for Crowdstrike Detections by @papanikge in #673
Full Changelog: v2.0.1...v2.1.0
Contributors
Assets 4
v2.0.1
New Detections
Bug Fixes
🐛 Update panther_sensitive_role_created.py to handle some NoneTypes by @dotbeseck in #675
Miscellaneous
🏠 fix: bump panther_analysis_tool to 0.19.5 for some additional snyk logs by @edyesed in #677
Full Changelog: v2.0.0...v2.0.1
Contributors
Assets 4
v2.0.0
Why are we upping the major version number to v2?
We received a report and PR from users demonstrating an an unanticipated behavior in the global_helper deep_get.
The scenario is this
- When deep get is called like this
deep_get(event, 'key_that_might_exist', default=Not_None). deep_getmust be called with a default= kwarg whose value is something other than None to enter into the changing behavior.- AND deep_get gets a hit on key_that_might_exist
- AND the value of that key is None
- Old Behavior -> deep_get returns None
- New Behavior -> deep_get returns value of default
This is the scenario where the old behavior and the new behavior lead to different outcomes in a detection:
if event had the following definition
{
"some_key": null,
"another_key": 1
}and the detection has this logic
my_check = deep_get(event, 'some_key', default='')
# At this point the value of my_check is None
# because deep_get did find `some_key` in event
# and the value of `some_key` was None
if my_check is None:
return FalseThen a detection would be incompatible with the new behavior.
This is a scenario where a detection is compatible with the old and new behavior
event has the same definition as above
and the detection has this logic
my_check = deep_get(event, 'some_key', default='')
# At this point the value of my_check is None ( because this example uses the old behavior )
# deep_get did find `some_key` in event
# and the value of `some_key` was None
if not my_check:
return FalseThe detection code directly above will work without modification because my_check is falsey in the old behavior ( my_check had the value of None ) and my_check is falsey in the new behavior ( my_check now returns '' ).
where when deep_get is passed the default= kwarg, and it gets a hit on the search keys where the value of the search key is None
- fix: deep_get should honor default kwarg if the value it retrieves is explicitly None by @edyesed in #672
New Detections
🕵️ new rule: alerts when zoom user toggles off org setting to automatically sign out users after a specified period of time by @andrea-youwakim in #660
🕵️ new detection: zoom rule to alert when user modifies an organization's sign in methods by @andrea-youwakim in #666
🕵️ asana workspace email domain detection by @calkim-panther in #661
🕵️ new detection: adding new detection to alert when a zoom user disables an org's setting to require passcodes for new meetings by @andrea-youwakim in #669
🕵️ new detection: alerts when a zoom user disables an org's setting to sign in with 2fa by @andrea-youwakim in #676
Bug Fixes
🐛 or 🕵️ modify cloudtrail policy for advanced selectors by @calkim-panther in #663
🎵 tune: standard_rule/brute_force_by_ip by @edyesed in #667
🎵 unmanaged detections tuning by @calkim-panther in #625
Miscellaneous
🏠 Added support for dictionary values in DynamoDB by @natezpanther in #653
🏠 Change IPInfo refresh frequency to daily by @debugmiller in #668
Full Changelog: v1.54.0...v2.0.0
Contributors
Assets 4
v1.54.0
New Detections
🕵️ Introduce detections and rules for Crowdstrike.FDREvent by @papanikge in #648
🕵️ new rule: alerts when zoom user toggles Require that all meetings are secured with one security option: from On to Off by @andrea-youwakim in #657
🕵️ asana rules by @calkim-panther in #659
Bug Fixes
🐛 fix: minor misspelling in tag by @andrea-youwakim in #656
🐛 In some environments, scheduled_rules could error out even if they are syntactically correct. Disabled scheduled rules by default by @calkim-panther in #662
New Contributors
- @papanikge made their first contribution in #648
Full Changelog: v1.53.0...v1.54.0
Contributors
Assets 4
v1.53.0
New Detections
🌯 Extends duo, msft365, okta, and zoom packs by @calkim-panther in #650
🕵️ Gsuite many download detection by @calkim-panther in #645
Bug Fixes
🐛 github/branch-protection-disabled: add the actor who did the disabling to the alert message by @joemiller in #649
🐛 feat: CloudFlare rules needed tweaking to their dedup and titles. by @edyesed in #654
🐛 feat: update panther_analysis_tool to v0.19.1, which has a bulk-upload bugfix that is important by @edyesed in #655
Miscellaneous
🚨 🚨 FYI: the alert_context has updated on CloudFlare detections 🚨 🚨
Full Changelog: v1.52.0...v1.53.0
Contributors
Assets 4
v1.52.0
New Detections
🕵️♂️ AWS discovery Rules by @hbenac10 in #621
🕵️ T1499:TA0040 Endpoint DoS Query + Detection by @natezpanther in #615
🌯 finishing up packs work, adding tested policies to prod by @andrea-youwakim in #652
Bug Fixes
🐛 fix: There was a bug in Standard.MFADisabled where okta users resetting MFA factors(s) were getting marked as MFA Disabled by @edyesed in #651
🐛 Fix example lookup table yml by @dashaaa in #638
Miscellaneous
🏠 IPinfo datalake LUTs by @debugmiller in #639
Full Changelog: v1.51.0...v1.52.0
Contributors
Assets 4
v1.51.0
New Detections
🕵️♂️ Calkim duo detections by @calkim-panther in #637
🌯 feat: adding already existing and tested policies to aws pack in prod by @andrea-youwakim in #644
Bug Fixes
🐛 fix: github_advanced_security detection had some confusing title text by @edyesed in #630
🐛 fix: eks_source_ip_multiple403s was triggering on naive web-scanners. so many naive web scanners. by @edyesed in #643
Miscellaneous
🏠 fix: tune aws_iam_user_recon_denied down to Info level by @edyesed in #632
🏠 fix: set default state to disable for aws_modify_cloud_compute_infra. change severity to Medium. remove from AWS pack by @edyesed in #633
🏠 fix: deprecates aws_snapshot_backup_exfiltration in favor of aws_snapshot_made_public by @edyesed in #634
🏠 fix: update GSuite.DriveVisibility to more explicitly demonstrate that it needs configuration by @edyesed in #635
🏠 chore: update panther_analysis_tool and GitPython by @edyesed in #647
Full Changelog: v1.50.1...v1.51.0
Contributors
Assets 4
v1.50.1
What's Changed
🏠 Pack & Rule changes by @nkulig in #618
🐛 Onepass filename fix by @andrea-youwakim in #629
Full Changelog: v1.50.0...v1.50.1
Contributors
Assets 4
v1.50.0
What's Changed
🕵️♂️ Unmanaged Auth Detections for AWS, 1Password, Okta by @calkim-panther in #622
Full Changelog: v1.49.0...v1.50.0
Contributors
Assets 4
v1.49.0
What's Changed
🕵️♂️ Crowdstrike queries: large zip creation, macos browser credential access by @calkim-panther in #579
🐛 fix: we should ignore iam:CreateAccessKey when errorCode is present by @edyesed in #614
🕵️♂️ Newly Written Rule: monitors and alerts on AWS IAM Group Read Only Events by @andrea-youwakim in #612
🏠 chore: update actions to use latest releases to get out of node12 by @edyesed in #616
🌯 IPInfo pack for detection engine by @debugmiller in #617
New Contributors
- @debugmiller made their first contribution in #617
Full Changelog: v1.48.0...v1.49.0