Skip to content

v2.0.0
Compare
Choose a tag to compare
@edyesed edyesed released this 10 Feb 21:24
v2.0.0
4f5b54e
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.

Why are we upping the major version number to v2?

We received a report and PR from users demonstrating an an unanticipated behavior in the global_helper deep_get.

The scenario is this

  1. When deep get is called like this deep_get(event, 'key_that_might_exist', default=Not_None).
  2. deep_get must be called with a default= kwarg whose value is something other than None to enter into the changing behavior.
  3. AND deep_get gets a hit on key_that_might_exist
  4. AND the value of that key is None
    1. Old Behavior -> deep_get returns None
    2. New Behavior -> deep_get returns value of default

This is the scenario where the old behavior and the new behavior lead to different outcomes in a detection:

if event had the following definition

{
  "some_key": null,
  "another_key": 1
}

and the detection has this logic

my_check = deep_get(event, 'some_key', default='')
# At this point the value of my_check is None
# because deep_get did find `some_key` in event 
# and the value of `some_key` was None
if my_check is None:
   return False

Then a detection would be incompatible with the new behavior.

This is a scenario where a detection is compatible with the old and new behavior

event has the same definition as above

and the detection has this logic

my_check = deep_get(event, 'some_key', default='')
# At this point the value of my_check is None ( because this example uses the old behavior )
# deep_get did find `some_key` in event 
# and the value of `some_key` was None
if not my_check:
   return False

The detection code directly above will work without modification because my_check is falsey in the old behavior ( my_check had the value of None ) and my_check is falsey in the new behavior ( my_check now returns '' ).

where when deep_get is passed the default= kwarg, and it gets a hit on the search keys where the value of the search key is None

  • fix: deep_get should honor default kwarg if the value it retrieves is explicitly None by @edyesed in #672

New Detections

🕵️ new rule: alerts when zoom user toggles off org setting to automatically sign out users after a specified period of time by @andrea-youwakim in #660
🕵️ new detection: zoom rule to alert when user modifies an organization's sign in methods by @andrea-youwakim in #666
🕵️ asana workspace email domain detection by @calkim-panther in #661
🕵️ new detection: adding new detection to alert when a zoom user disables an org's setting to require passcodes for new meetings by @andrea-youwakim in #669
🕵️ new detection: alerts when a zoom user disables an org's setting to sign in with 2fa by @andrea-youwakim in #676

Bug Fixes

🐛 or 🕵️ modify cloudtrail policy for advanced selectors by @calkim-panther in #663
🎵 tune: standard_rule/brute_force_by_ip by @edyesed in #667
🎵 unmanaged detections tuning by @calkim-panther in #625

Miscellaneous

🏠 Added support for dictionary values in DynamoDB by @natezpanther in #653
🏠 Change IPInfo refresh frequency to daily by @debugmiller in #668

Full Changelog: v1.54.0...v2.0.0

Contributors

edyesed, debugmiller, and 3 other contributors
Assets 4
Loading