Prepare for v3.55.0

.github/dependabot.yml

@@ -0,0 +1,8 @@
+version: 2
+
+updates:
+ # Update the GitHub actions used in our CI/CD workflow
+ - package-ecosystem: "github-actions"
+ directory: "/"
+ schedule:
+ interval: "daily"

.github/workflows/check-packs.yml

@@ -1,14 +1,28 @@
 on:
  pull_request:
 
+permissions:
+ contents: read
+ pull-requests: write
+
 jobs:
  check_packs:
  name: check packs
  runs-on: ubuntu-latest
 
  steps:
+ - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
+ with:
+ disable-sudo: true
+ egress-policy: block
+ allowed-endpoints: >
+ api.github.com:443
+ files.pythonhosted.org:443
+ github.com:443
+ pypi.org:443
+
  - name: Checkout panther-analysis
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b #v4.1.4
+ uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 #v4.1.7
 
  - name: Set python version
  uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d #v5.1.0
@@ -25,27 +39,29 @@ jobs:
  panther_analysis_tool check-packs 2> errors.txt || true
 
  # run again to get exit code
- panther_analysis_tool check-packs || echo ::set-output name=errors::`cat errors.txt`
+ panther_analysis_tool check-packs || echo "errors=`cat errors.txt`" >> $GITHUB_OUTPUT
 
  - name: Comment PR
- uses: thollander/actions-comment-pull-request@v2
+ uses: thollander/actions-comment-pull-request@fabd468d3a1a0b97feee5f6b9e499eab0dd903f6
  if: ${{ steps.check-packs.outputs.errors }}
  with:
  mode: upsert
  message: |
- :scream: 
- looks like somethings could be wrong with the packs
+ :scream:
+ looks like some things could be wrong with the packs
  ```diff
  ${{ steps.check-packs.outputs.errors }}
+ ```
  comment_tag: check-packs
  - name: Delete comment
- uses: thollander/actions-comment-pull-request@v2
+ uses: thollander/actions-comment-pull-request@fabd468d3a1a0b97feee5f6b9e499eab0dd903f6
  if: ${{ !steps.check-packs.outputs.errors }}
  with:
  mode: delete
  message: |
- :scream: 
- looks like somethings could be wrong with the packs
+ :scream:
+ looks like some things could be wrong with the packs
  ```diff
  ${{ steps.check-packs.outputs.errors }}
+ ```
  comment_tag: check-packs

.github/workflows/docker.yml

@@ -3,13 +3,31 @@ on:
  paths:
  - "Dockerfile"
 
+permissions:
+ contents: read
+
 jobs:
  test:
  name: Build Dockerfile
  runs-on: ubuntu-latest
  steps:
+ - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
+ with:
+ disable-sudo: true
+ egress-policy: block
+ allowed-endpoints: >
+ 9236a389bd48b984df91adc1bc924620.r2.cloudflarestorage.com:443
+ auth.docker.io:443
+ cgr.dev:443
+ files.pythonhosted.org:443
+ github.com:443
+ packages.wolfi.dev:443
+ production.cloudflare.docker.com:443
+ pypi.org:443
+ registry-1.docker.io:443
+ www.python.org:443
  - name: Checkout panther-analysis
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b #v4.1.4
+ uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 #v4.1.7
  - uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 #v3.0.0
  - name: Set up Docker Buildx
  id: buildx

.github/workflows/lint.yml

@@ -1,16 +1,25 @@
 on:
  pull_request:
 
+permissions:
+ contents: read
+
 jobs:
  lint:
  name: Lint
  runs-on: ubuntu-latest
 
  steps:
- - name: Checkout panther-analysis
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b #v4.1.4
+ - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
  with:
- ref: ${{ github.event.pull_request.head.sha }}
+ disable-sudo: true
+ egress-policy: block
+ allowed-endpoints: >
+ files.pythonhosted.org:443
+ github.com:443
+ pypi.org:443
+ - name: Checkout panther-analysis
+ uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 #v4.1.7
 
  - name: Set python version
  uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d #v5.1.0

.github/workflows/release.yml

@@ -3,6 +3,9 @@ name: Panther Analysis Release
 on:
  workflow_dispatch:
 
+permissions:
+ contents: read 
+
 jobs:
  release:
  runs-on: ubuntu-latest
@@ -12,7 +15,10 @@ jobs:
  env:
  GITHUB_TOKEN: ${{ secrets.PANTHER_BOT_AUTOMATION_TOKEN }}
  steps:
- - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b #v4.1.4
+ - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
+ with:
+ egress-policy: audit
+ - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 #v4.1.7
  with:
  fetch-depth: 0
  token: ${{ env.GITHUB_TOKEN }}

.github/workflows/sync-from-upstream.yml

@@ -37,7 +37,7 @@ jobs:
  branch: "sync_upstream_${{steps.set_upstream.outputs.latest-release}}"
  # Checkout this repo into the branch
  - name: Checkout your local repo in PR branch
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b #v4.1.4
+ uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 #v4.1.7
  with:
  ref: "sync_upstream_${{steps.set_upstream.outputs.latest-release}}"
  token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/test.yml

@@ -1,14 +1,26 @@
 on:
  pull_request:
 
+permissions:
+ contents: read
+
 jobs:
  test:
  name: Test
  runs-on: ubuntu-latest
 
  steps:
+ - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
+ with:
+ disable-sudo: true
+ egress-policy: block
+ allowed-endpoints: >
+ files.pythonhosted.org:443
+ github.com:443
+ ipinfo.io:443
+ pypi.org:443
  - name: Checkout panther-analysis
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b #v4.1.4
+ uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 #v4.1.7
 
  - name: Set python version
  uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d #v5.1.0

.github/workflows/upload.yml

@@ -3,22 +3,28 @@ on:
  branches:
  - main
 
+permissions:
+ contents: read 
+
 jobs:
  upload:
- name:
+ name: Upload
  runs-on: ubuntu-latest
  env:
  API_HOST: ${{ secrets.API_HOST }}
  API_TOKEN: ${{ secrets.API_TOKEN }}
  steps:
+ - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
+ with:
+ egress-policy: audit
  - name: Validate Secrets
  if: ${{ env.API_HOST == '' || env.API_TOKEN == '' }}
  run: |
  echo "API_HOST or API_TOKEN not set"
  exit 0
 
  - name: Checkout panther-analysis
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b #v4.1.4
+ uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 #v4.1.7
 
  - name: Set python version
  uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d #v5.1.0

.vscode/rule_jsonschema.json

@@ -61,15 +61,18 @@
  "$ref": "#/definitions/ScheduledQueries"
  }
  },
- "required": [
- "AnalysisType",
- "DisplayName",
- "Enabled",
- "RuleID",
- "Severity",
- "Tests"
- ],
+ "required": ["AnalysisType", "DisplayName", "Enabled", "RuleID", "Severity"],
  "additionalProperties": false,
+ "allOf": [
+ {
+ "if": {
+ "properties": { "AnalysisType": { "enum": ["rule", "scheduled_rule"] } }
+ },
+ "then": {
+ "required": ["Tests"]
+ }
+ }
+ ],
  "anyOf": [
  {
  "required": ["Filename"]
@@ -82,7 +85,7 @@
  "AnalysisType": {
  "description": "what kind of detection",
  "type": "string",
- "enum": ["rule", "scheduled_rule"],
+ "enum": ["rule", "scheduled_rule", "correlation_rule"],
  "default": "rule"
  },
  "DisplayName": {
@@ -177,6 +180,23 @@
  "type": "string",
  "minLength": 1
  },
+ "RuleMatch": {
+ "$comment": "https://docs.panther.com/detections/correlation-rules/correlation-rule-reference#ruleoutput-fields",
+ "description": "The Match that occurred for 1 of the rules in this test case",
+ "type": "object",
+ "required": ["ID"],
+ "properties": {
+ "ID": {
+ "type": "string",
+ "description": "The ID of the Rule from the Sequence/Group section above to simulate matches on"
+ },
+ "Matches": {
+ "type": "object",
+ "description": "The Match definition for this rule. Key: field that matched. value: mapping of the value that was matched on to the timestamps that the match(es) occurred. See docs for more details",
+ "$comment": "https://docs.panther.com/detections/correlation-rules/correlation-rule-reference#matchvalue-fields"
+ }
+ }
+ },
  "Tests": {
  "$comment": "https://docs.panther.com/detections/writing-and-editing-detections",
  "description": "Unit test cases",
@@ -225,16 +245,42 @@
  "else": false
  }
  ]
+ },
+ "RuleOutputs": {
+ "anyOf": [
+ {
+ "if": {
+ "properties": {
+ "AnalysisType": { "enum": ["correlation_rule"] }
+ }
+ },
+ "then": {
+ "type": "array",
+ "description": "List of Rule Matches that occurred for this test case",
+ "items": { "$ref": "#/definitions/RuleMatch" },
+ "minItems": 1
+ },
+ "else": false
+ }
+ ]
  }
  },
- "allOf": [
+ "oneOf": [
  {
  "if": {
  "properties": { "AnalysisType": { "enum": ["rule"] } }
  },
  "then": {
  "required": ["Name", "ExpectedResult", "Log"]
  }
+ },
+ {
+ "if": {
+ "properties": { "AnalysisType": { "enum": ["correlation_rule"] } }
+ },
+ "then": {
+ "required": ["Name", "ExpectedResult", "RuleOutputs"]
+ }
  }
  ]
  }

Dockerfile

@@ -11,8 +11,6 @@ RUN apk update \
  git \
  libffi-dev \
  ncurses-dev \
- nodejs \
- npm \
  openssl-dev \
  readline-dev \
  sqlite-dev \
@@ -49,12 +47,6 @@ COPY Pipfile.lock .
 RUN pipenv uninstall --all
 RUN pipenv sync --dev
 
-COPY package.json .
-COPY package-lock.json .
-RUN npm install
-
-ENV PATH="/home/panther-analysis/node_modules/.bin:$PATH"
-
 # Remove pipfile so it doesn't interfere with local files after install
-RUN rm Pipfile 
+RUN rm Pipfile
 RUN rm Pipfile.lock

Makefile

@@ -18,7 +18,7 @@ vscode-config: install-pipenv install
  @echo "Creating new vscode config files"
  cp .vscode/example_launch.json .vscode/launch.json
  sed -e 's#XXX_pipenv_py_output_XXX#$(shell pipenv --py)#' .vscode/example_settings.json > .vscode/settings.json
- which code && code . 
+ which code && code .
 
 ci:
  pipenv run $(MAKE) lint test
@@ -42,7 +42,6 @@ lint-pylint:
 lint-fmt:
  @echo Checking python file formatting with the black code style checker
  pipenv run black --line-length=100 --check $(dirs)
- npx prettier . --check
 
 venv:
  pipenv sync --dev
@@ -53,12 +52,9 @@ pat-update:
 fmt:
  pipenv run isort --profile=black $(dirs)
  pipenv run black --line-length=100 $(dirs)
- npx prettier . --write --list-different
 
 install:
  pipenv sync --dev
- # install prettier for formatting YAML and Markdown files
- npm install
 
 test: global-helpers-unit-test
  pipenv run panther_analysis_tool test $(TEST_ARGS)

Pipfile

@@ -19,7 +19,7 @@ wrapt = "~=1.15"
 [packages]
 policyuniverse = "==1.5.1.20230817"
 requests = "==2.31.0"
-panther-analysis-tool = "~=0.49"
+panther-analysis-tool = "~=0.50"
 panther-detection-helpers = "==0.4.0"
 
 [requires]