Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Prepare for v3.55.0 #1269

Closed
wants to merge 36 commits into from
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
36 commits
Select commit Hold shift + click to select a range
cd042d2
Replace panther_analysis_tool import with updated import (#1230)
May 7, 2024
5e5f196
Update Action versions; use SHAs (#1231)
May 7, 2024
0f28285
migrates the gcp_storage_hmac_keys_create rule to (#1233)
arielkr256 May 8, 2024
83e6d74
move scheduled rules to the queries directory (#1234)
arielkr256 May 8, 2024
575cf47
consistency nit fixes (#1235)
kjihso May 13, 2024
c8b6ad9
AppOmni Alert passthrough (#1211)
jzandona May 14, 2024
8012f11
Push Security rules (#1207)
jstanulis-push May 21, 2024
1252a70
created pack and updated event.deep_get (#1239)
arielkr256 May 21, 2024
63db6ce
Push logtype update (#1240)
arielkr256 May 21, 2024
442849c
Remove Node/NPM/Prettier (#1241)
egibs May 22, 2024
c8b23bd
Small Workflow tweaks (#1243)
egibs May 29, 2024
dc7070c
Use harden-runner Action for all Workflows (#1244)
egibs May 29, 2024
736c250
Threat 319 Replace geoinfo_from_ip with new version (#1242)
akozlovets098 May 30, 2024
cec5c8c
Use full Action SHAs rather than versioned releases (#1245)
egibs May 30, 2024
ca6f7de
auth0-cic-credential-stuffing rule and query (#1246)
arielkr256 May 30, 2024
7eed675
Merge branch 'main' into release
egibs Jun 3, 2024
12ff27b
Update panther-core to 0.10.1 via PAT (#1249)
egibs Jun 3, 2024
aa5ae8b
Tweak Snowflake queries (#1250)
egibs Jun 4, 2024
d700925
Fixed typo in README.md (#1253)
JPhenglavong Jun 7, 2024
9156338
build(deps): bump step-security/harden-runner from 2.8.0 to 2.8.1 (#1…
dependabot[bot] Jun 10, 2024
2f8c64f
Using GITHUB_OUTPUT env var instead of old ::set-output shorthand (#1…
c0nfleis Jun 10, 2024
41e0c46
OCSF data model, VPC/DNS (#1214)
akozlovets098 Jun 10, 2024
2b80d94
fix: consider deny rules for ssh network acl policy (#1236)
skeggse Jun 10, 2024
1772ca0
AWS Honeypot Detections threat-306 (#1252)
JPhenglavong Jun 10, 2024
a15c5e6
Update aws_console_login_without_mfa.py (#1237)
JPhenglavong Jun 10, 2024
3fa12da
Update PAT to 0.50.0 (#1259)
egibs Jun 12, 2024
69ad583
schema rename (#1258)
arielkr256 Jun 12, 2024
73cdbde
build(deps): bump actions/checkout from 4.1.6 to 4.1.7 (#1263)
dependabot[bot] Jun 13, 2024
1aaef4e
Update PAT to 0.50.1 (#1261)
egibs Jun 13, 2024
327008e
improve error handling for dynamic functions (#1262)
arielkr256 Jun 13, 2024
bcf9088
update vscode schema to honor correlation rules (#1264)
nskobov Jun 17, 2024
fbdd0c4
remove .husky directory (#1266)
le4ker Jun 18, 2024
33335ca
update snowflake queries with p_occurs_since (#1265)
arielkr256 Jun 18, 2024
7ff3c9f
remove greynoise luts (#1267)
arielkr256 Jun 18, 2024
1f1a05e
added dynamic severity to okta vpn rule, with tests (#1268)
ben-githubs Jun 24, 2024
bc59473
Remove unnecessary pipenv step (#1270)
egibs Jun 24, 2024
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 8 additions & 0 deletions .github/dependabot.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
version: 2

updates:
# Update the GitHub actions used in our CI/CD workflow
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "daily"
32 changes: 24 additions & 8 deletions .github/workflows/check-packs.yml
Original file line number Diff line number Diff line change
@@ -1,14 +1,28 @@
on:
pull_request:

permissions:
contents: read
pull-requests: write

jobs:
check_packs:
name: check packs
runs-on: ubuntu-latest

steps:
- uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
api.github.com:443
files.pythonhosted.org:443
github.com:443
pypi.org:443

- name: Checkout panther-analysis
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b #v4.1.4
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 #v4.1.7

- name: Set python version
uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d #v5.1.0
Expand All @@ -25,27 +39,29 @@ jobs:
panther_analysis_tool check-packs 2> errors.txt || true

# run again to get exit code
panther_analysis_tool check-packs || echo ::set-output name=errors::`cat errors.txt`
panther_analysis_tool check-packs || echo "errors=`cat errors.txt`" >> $GITHUB_OUTPUT

- name: Comment PR
uses: thollander/actions-comment-pull-request@v2
uses: thollander/actions-comment-pull-request@fabd468d3a1a0b97feee5f6b9e499eab0dd903f6
if: ${{ steps.check-packs.outputs.errors }}
with:
mode: upsert
message: |
:scream:
looks like somethings could be wrong with the packs
:scream:
looks like some things could be wrong with the packs
```diff
${{ steps.check-packs.outputs.errors }}
```
comment_tag: check-packs
- name: Delete comment
uses: thollander/actions-comment-pull-request@v2
uses: thollander/actions-comment-pull-request@fabd468d3a1a0b97feee5f6b9e499eab0dd903f6
if: ${{ !steps.check-packs.outputs.errors }}
with:
mode: delete
message: |
:scream:
looks like somethings could be wrong with the packs
:scream:
looks like some things could be wrong with the packs
```diff
${{ steps.check-packs.outputs.errors }}
```
comment_tag: check-packs
20 changes: 19 additions & 1 deletion .github/workflows/docker.yml
Original file line number Diff line number Diff line change
Expand Up @@ -3,13 +3,31 @@ on:
paths:
- "Dockerfile"

permissions:
contents: read

jobs:
test:
name: Build Dockerfile
runs-on: ubuntu-latest
steps:
- uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
9236a389bd48b984df91adc1bc924620.r2.cloudflarestorage.com:443
auth.docker.io:443
cgr.dev:443
files.pythonhosted.org:443
github.com:443
packages.wolfi.dev:443
production.cloudflare.docker.com:443
pypi.org:443
registry-1.docker.io:443
www.python.org:443
- name: Checkout panther-analysis
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b #v4.1.4
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 #v4.1.7
- uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 #v3.0.0
- name: Set up Docker Buildx
id: buildx
Expand Down
15 changes: 12 additions & 3 deletions .github/workflows/lint.yml
Original file line number Diff line number Diff line change
@@ -1,16 +1,25 @@
on:
pull_request:

permissions:
contents: read

jobs:
lint:
name: Lint
runs-on: ubuntu-latest

steps:
- name: Checkout panther-analysis
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b #v4.1.4
- uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
with:
ref: ${{ github.event.pull_request.head.sha }}
disable-sudo: true
egress-policy: block
allowed-endpoints: >
files.pythonhosted.org:443
github.com:443
pypi.org:443
- name: Checkout panther-analysis
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 #v4.1.7

- name: Set python version
uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d #v5.1.0
Expand Down
8 changes: 7 additions & 1 deletion .github/workflows/release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,9 @@ name: Panther Analysis Release
on:
workflow_dispatch:

permissions:
contents: read

jobs:
release:
runs-on: ubuntu-latest
Expand All @@ -12,7 +15,10 @@ jobs:
env:
GITHUB_TOKEN: ${{ secrets.PANTHER_BOT_AUTOMATION_TOKEN }}
steps:
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b #v4.1.4
- uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
with:
egress-policy: audit
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 #v4.1.7
with:
fetch-depth: 0
token: ${{ env.GITHUB_TOKEN }}
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/sync-from-upstream.yml
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,7 @@ jobs:
branch: "sync_upstream_${{steps.set_upstream.outputs.latest-release}}"
# Checkout this repo into the branch
- name: Checkout your local repo in PR branch
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b #v4.1.4
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 #v4.1.7
with:
ref: "sync_upstream_${{steps.set_upstream.outputs.latest-release}}"
token: ${{ secrets.GITHUB_TOKEN }}
Expand Down
14 changes: 13 additions & 1 deletion .github/workflows/test.yml
Original file line number Diff line number Diff line change
@@ -1,14 +1,26 @@
on:
pull_request:

permissions:
contents: read

jobs:
test:
name: Test
runs-on: ubuntu-latest

steps:
- uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
files.pythonhosted.org:443
github.com:443
ipinfo.io:443
pypi.org:443
- name: Checkout panther-analysis
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b #v4.1.4
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 #v4.1.7

- name: Set python version
uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d #v5.1.0
Expand Down
10 changes: 8 additions & 2 deletions .github/workflows/upload.yml
Original file line number Diff line number Diff line change
Expand Up @@ -3,22 +3,28 @@ on:
branches:
- main

permissions:
contents: read

jobs:
upload:
name:
name: Upload
runs-on: ubuntu-latest
env:
API_HOST: ${{ secrets.API_HOST }}
API_TOKEN: ${{ secrets.API_TOKEN }}
steps:
- uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
with:
egress-policy: audit
- name: Validate Secrets
if: ${{ env.API_HOST == '' || env.API_TOKEN == '' }}
run: |
echo "API_HOST or API_TOKEN not set"
exit 0

- name: Checkout panther-analysis
uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b #v4.1.4
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 #v4.1.7

- name: Set python version
uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d #v5.1.0
Expand Down
3 changes: 0 additions & 3 deletions .husky/pre-commit

This file was deleted.

Binary file added .img/panther-logo-github-highres-dark.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added .img/panther-logo-github-highres-light.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file removed .img/panther-logo-github-highres.png
Binary file not shown.
66 changes: 56 additions & 10 deletions .vscode/rule_jsonschema.json
Original file line number Diff line number Diff line change
Expand Up @@ -61,15 +61,18 @@
"$ref": "#/definitions/ScheduledQueries"
}
},
"required": [
"AnalysisType",
"DisplayName",
"Enabled",
"RuleID",
"Severity",
"Tests"
],
"required": ["AnalysisType", "DisplayName", "Enabled", "RuleID", "Severity"],
"additionalProperties": false,
"allOf": [
{
"if": {
"properties": { "AnalysisType": { "enum": ["rule", "scheduled_rule"] } }
},
"then": {
"required": ["Tests"]
}
}
],
"anyOf": [
{
"required": ["Filename"]
Expand All @@ -82,7 +85,7 @@
"AnalysisType": {
"description": "what kind of detection",
"type": "string",
"enum": ["rule", "scheduled_rule"],
"enum": ["rule", "scheduled_rule", "correlation_rule"],
"default": "rule"
},
"DisplayName": {
Expand Down Expand Up @@ -177,6 +180,23 @@
"type": "string",
"minLength": 1
},
"RuleMatch": {
"$comment": "https://docs.panther.com/detections/correlation-rules/correlation-rule-reference#ruleoutput-fields",
"description": "The Match that occurred for 1 of the rules in this test case",
"type": "object",
"required": ["ID"],
"properties": {
"ID": {
"type": "string",
"description": "The ID of the Rule from the Sequence/Group section above to simulate matches on"
},
"Matches": {
"type": "object",
"description": "The Match definition for this rule. Key: field that matched. value: mapping of the value that was matched on to the timestamps that the match(es) occurred. See docs for more details",
"$comment": "https://docs.panther.com/detections/correlation-rules/correlation-rule-reference#matchvalue-fields"
}
}
},
"Tests": {
"$comment": "https://docs.panther.com/detections/writing-and-editing-detections",
"description": "Unit test cases",
Expand Down Expand Up @@ -225,16 +245,42 @@
"else": false
}
]
},
"RuleOutputs": {
"anyOf": [
{
"if": {
"properties": {
"AnalysisType": { "enum": ["correlation_rule"] }
}
},
"then": {
"type": "array",
"description": "List of Rule Matches that occurred for this test case",
"items": { "$ref": "#/definitions/RuleMatch" },
"minItems": 1
},
"else": false
}
]
}
},
"allOf": [
"oneOf": [
{
"if": {
"properties": { "AnalysisType": { "enum": ["rule"] } }
},
"then": {
"required": ["Name", "ExpectedResult", "Log"]
}
},
{
"if": {
"properties": { "AnalysisType": { "enum": ["correlation_rule"] } }
},
"then": {
"required": ["Name", "ExpectedResult", "RuleOutputs"]
}
}
]
}
Expand Down
11 changes: 1 addition & 10 deletions Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -11,8 +11,6 @@ RUN apk update \
git \
libffi-dev \
ncurses-dev \
nodejs \
npm \
openssl-dev \
readline-dev \
sqlite-dev \
Expand Down Expand Up @@ -46,15 +44,8 @@ WORKDIR /home/panther-analysis
# Install requirements
COPY Pipfile .
COPY Pipfile.lock .
RUN pipenv uninstall --all
RUN pipenv sync --dev

COPY package.json .
COPY package-lock.json .
RUN npm install

ENV PATH="/home/panther-analysis/node_modules/.bin:$PATH"

# Remove pipfile so it doesn't interfere with local files after install
RUN rm Pipfile
RUN rm Pipfile
RUN rm Pipfile.lock
6 changes: 1 addition & 5 deletions Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ vscode-config: install-pipenv install
@echo "Creating new vscode config files"
cp .vscode/example_launch.json .vscode/launch.json
sed -e 's#XXX_pipenv_py_output_XXX#$(shell pipenv --py)#' .vscode/example_settings.json > .vscode/settings.json
which code && code .
which code && code .

ci:
pipenv run $(MAKE) lint test
Expand All @@ -42,7 +42,6 @@ lint-pylint:
lint-fmt:
@echo Checking python file formatting with the black code style checker
pipenv run black --line-length=100 --check $(dirs)
npx prettier . --check

venv:
pipenv sync --dev
Expand All @@ -53,12 +52,9 @@ pat-update:
fmt:
pipenv run isort --profile=black $(dirs)
pipenv run black --line-length=100 $(dirs)
npx prettier . --write --list-different

install:
pipenv sync --dev
# install prettier for formatting YAML and Markdown files
npm install

test: global-helpers-unit-test
pipenv run panther_analysis_tool test $(TEST_ARGS)
Expand Down
Loading
Loading