Releases: panther-labs/panther-analysis
v1.46.0
What's Changed
🕵️♂️ Nkulig mitre attack ta0007 t1087 by @nkulig in #567
🕵️♂️ Added new rule to alert on traffic mirroring events in AWS cloudtrail; tests included and pack updated by @andrea-youwakim in #555
🕵️♂️ sentinelone passthrough by @calkim-panther in #576
🕵️♂️ adding existing enabled s3 rules to prod after QA by @andrea-youwakim in #577
🌯 Add back Tor Exit Nodes LUT now that 1.45 is released by @rleighton in #539
🕵️♂️ adding qa'ed vpc flow rules to aws pack to make available to our customers by @andrea-youwakim in #578
New Contributors
Full Changelog: v1.45.0...v1.46.0
v1.45.0
New Detections
🕵️♂️ Github: New Secret Scanning Rule & Update Pack by @jpl5280 in #574
🕵️♂️ Adding qa tested aws guardduty rules to aws pack by @andrea-youwakim in #575
Full Changelog: v1.44.0...v1.45.0
v1.44.0
v1.43.0
New Detections
🕵️♂️ adding the final batch of qa tested already existing aws cloudtrail rules to prod by @andrea-youwakim in #569
Full Changelog: v1.42.0...v1.43.0
v1.42.0
New Detections
🕵️♂️ fix: two detections that are detecting T1108 are not annotated as such by @edyesed in #565
🕵️♂️ adding qa'ed aws cloudtrail rules to prod by @andrea-youwakim in #568
Bug Fixes
🐛 Removed unneccessary ecr rules (duplicate logic), updated existing by @calkim-panther in #561
Miscellaneous
🏠 fix: add some error handling to the sync action by @edyesed in #564
Full Changelog: v1.41.0...v1.42.0
v1.41.0
New Detections
🕵️♂️
- feat: a detection that alerts when a panther user is modified by @edyesed in #559
- aws queries by @calkim-panther in #558
- scheduled query vpc scanning by @calkim-panther in #560
- shipping qa'ed additions to pack (already exsisting rules only) by @andrea-youwakim in #562
Bug Fixes
🐛
Miscellaneous
🏠
Full Changelog: v1.40.0...v1.41.0
v1.40.0
New Detections
🌯 additional AWS detections in the AWS Pack and addition of global_helper for the Zoom pack from #557
Bug Fixes
🐛 Update gcp_unused_regions.py to handle the None case by @dotbeseck in #554
Miscellaneous
🏠 remove outdated sample query via #553
Full Changelog: v1.39.0...v1.40.0
v1.39.0
New Detections
🕵️ microsoft graph passthrough in #544
🕵️ detection for EC2 *Image*
cloudtrail events relating to ATT&CK T1204 in #545
🕵️ detection for IAM Identity modifying the userProfile of another without setting the must reset password bit relating to ATT&CK T1550 in #548
🌯 update gsuite pack to include data model in #552
Bug Fixes
🐛 gsuite drive visibility title bug #543
🐛 guardduty context in #535
🐛 Potential typo prevents tests from passing in okta_password_accessed detection by @fr0mdual in #546
🐛 fix: get_val_from_list would raise an error if the comparison key was not in the input item of the list in #547 ( revealed by #546 )
🐛 fix: dedup aws_iam_user_key_created based on the userIdentity.arn to group by source identity in #549
Miscellaneous
🏠 fix: Default behavior of our python environment should be to use the Pipfile.lock specified versions in #541
🏠 feat: allow gsuite admins to provide an allow-list of applicationNames for when google is the IdP for a saml app in #542
🏠 docker support for windows environments in #538
🏠 fix: remove all references to ast.literal_eval
in #551
Full Changelog: v1.38.1...v1.39.0
v1.38.1
v1.38.0
New Detections
🕵️ EC2 CRUD Activities via #507
🕵️ EC2 EBS Default Encryption settings changes via #523
🕵️ EC2 Startup Script/user-data changes via #523
🕵️ IAM User AccessKey created for another user via #523
🕵️ IAM SAML Settings changed via #523
🕵️ EC2 Snapshot setting modified via #523
🕵️ AWS Region should not be used via #531
🕵️ EC2 Modifications happening outside of automation via #532
🕵️ AWS WAF WebACL dis-associated from resource via #532
🕵️ MSFT Graph passthrough detections via #530
Bug Fixes
🐛 Some detections had print()
statements. These print()
have been removed and we now lint to confirm that they are not present via #533
🐛 MITRE Technique association fix for AWS WAF WebACL dis-associated from resource via #532
🐛 Adding default values into the deep_get
function call used by the IAM Keys Created For Another User detection and a comparison tweak via #537
Miscellaneous
🏠 Cloudtrail eventSource
and awsRegion
added to default alert context for cloudtrail detections via #531
Full Changelog: v1.37.1...v1.38.0