v3.2.2

What's Changed

🕵️ New Detections

• feat: Snyk detections for OU changes and external access changes by @edyesed in #729

🏡 Miscellaneous

• Double quote names and IDs the way that bulk download does by @dekatzenel in #724
• Added force ttl check option to kv-table functions by @nhakmiller in #725
• Snowflake queries minor fixes by @andrea-youwakim in #728
• Atlassian impersonation detection display name by @mbellifa in #730

New Contributors

• @dekatzenel made their first contribution in #724

Full Changelog: v3.2.1...v3.2.2

v3.2.1

New Detections

🔍 Snowflake Account Admin Assigned Query
🔍 Snowflake Brute Force IP Query
🔍 Snowflake Brute Force Username Query
🔍 Snowflake Login Without MFA Query
🕵️‍♂️ GCP BigQuery Large Scan Detection
🕵️‍♂️ GCP Cloud Storage Bucket Modified or Deleted Detection
🕵️‍♂️ GCP Destructive Queries Detection
🕵️‍♂️ GCP Logging Settings Modified Detection
🕵️‍♂️ Snyk System Policy Change Detection
🕵️‍♂️ Snyk SSO Modified Detection

Full Changelog: v3.2.0...v3.2.1

v3.2.0

What's Changed

🕵️ New Detections

• new detection: alert when an asana user starts an export for an organization by @andrea-youwakim in #702
• new detection: alert when a zoom user changes an organization's sign in requirements by @andrea-youwakim in #692

🐛 Bug Fixes and Tunes

• adding additional logic to drop alert severity to low if outcome is DENY by @andrea-youwakim in #709

🏡 Miscellaneous

• feat: vscode one click debugging by @edyesed in #706
• GCP VPC Flow Logs Disabled and Request Violating VPC Service Controls by @calkim-panther in #707
• Fix/edyesed/ignore aws distributed policies by @edyesed in #710

Full Changelog: v3.1.0...v3.2.0

v3.1.0

What's Changed

🕵️ New Detections

• new detection: alerts when an asana user changes an organization's password requirements to 'simple' by @andrea-youwakim in #701
• New detection: alert when an asana user makes saml optional for an organization by @andrea-youwakim in #696
• New detection: alerts when asana user disables app approval requirements for an organization by @andrea-youwakim in #697
• Feat: global filter for github log sources by @edyesed in #705

🌯 Packs changes

• Asana pack -> New detections
• GitHub pack -> global filter added to pack and detections

🐛 Bug Fixes and Tunes

• cloudtrail enabled bugfix by @calkim-panther in #703

🏡 Miscellaneous

• chore: let automagic release note generation do more for us by @edyesed in #698

Full Changelog: v3.0.1...v3.1.0

v3.0.1

Miscellaneous

🏠 chore: make fmt wanted to reorder a few imports based on panther being renamed panther_default by @edyesed in #700

Full Changelog: v3.0.0...v3.0.1

v3.0.0

Why a major version change

We've updated the name of the global helper previously known as panther to panther_default.

This change aligns the python module name of the global helper to be the same as the file name which provides the module. With the two names in sync, your IDE's code completion features should be working. If you have already informed your IDE to use global_helpers as an autocomplete and/or analysis path, no action is needed. If you haven't set that up already, there are some vscode specific examples on #691

New Detections

🕵️‍♂️ new asana service account is created by @andrea-youwakim in #695

Bug Fixes

🐛 new format for AWS resource tags by @calkim-panther in #664

Miscellaneous

🏠 fix: update panther_default global helper use its file name for IDE happiness by @edyesed in #691
🏠 feat: logtype global filter for cloudflare events by @edyesed in #690
🏠 fix: sync policyuniverse version to backend by @edyesed in #699

Full Changelog: v2.2.0...v3.0.0

v2.2.0

New Detections

🕵️‍♂️ Add Dropbox Team Member Linked App Rule by @egibs in #687

Bug Fixes

🐛 Refactor: slack_user_privilege_escalation by @miotke in #686
🐛 Snowflake Query DisplayName Updates by @mbellifa in #682
🐛 tuning: high vol events blocked greynoise by @andrea-youwakim in #688

Miscellaneous

🏠 Bump PAT version to 0.19.6 by @egibs in #684 & #685

New Contributors

• @egibs made their first contribution in #684
• @mbellifa made their first contribution in #682

Full Changelog: v2.1.0...v2.2.0

v2.1.0

New Detections

🕵️‍♂️ feat: asana new workspace admin detection by @edyesed in #679
🕵️ feat: A detection for if a configured github action fails by @edyesed in #681
🌯 asana pack by @calkim-panther in #670
👨‍🍳 Add IPInfo Privacy enrichment providers by @debugmiller in #680

Bug Fixes

🐛 chore: tune out aws config checking on ec2 traffic mirroring by @edyesed in #678

Miscellaneous

🏠 Deprecated AWS CloudTrail 2 minute count + detection by @natezpanther in #674
🏠 Add helper function for Crowdstrike Detections by @papanikge in #673

Full Changelog: v2.0.1...v2.1.0

v2.0.1

New Detections

Bug Fixes

🐛 Update panther_sensitive_role_created.py to handle some NoneTypes by @dotbeseck in #675

Miscellaneous

🏠 fix: bump panther_analysis_tool to 0.19.5 for some additional snyk logs by @edyesed in #677

Full Changelog: v2.0.0...v2.0.1

v2.0.0

Why are we upping the major version number to v2?

We received a report and PR from users demonstrating an an unanticipated behavior in the global_helper deep_get.

The scenario is this

1. When deep get is called like this deep_get(event, 'key_that_might_exist', default=Not_None).
2. deep_get must be called with a default= kwarg whose value is something other than None to enter into the changing behavior.
3. AND deep_get gets a hit on key_that_might_exist
4. AND the value of that key is None
   1. Old Behavior -> deep_get returns None
   2. New Behavior -> deep_get returns value of default

This is the scenario where the old behavior and the new behavior lead to different outcomes in a detection:

if event had the following definition

{
  "some_key": null,
  "another_key": 1
}

and the detection has this logic

my_check = deep_get(event, 'some_key', default='')
# At this point the value of my_check is None
# because deep_get did find `some_key` in event 
# and the value of `some_key` was None
if my_check is None:
   return False

Then a detection would be incompatible with the new behavior.

This is a scenario where a detection is compatible with the old and new behavior

event has the same definition as above

and the detection has this logic

my_check = deep_get(event, 'some_key', default='')
# At this point the value of my_check is None ( because this example uses the old behavior )
# deep_get did find `some_key` in event 
# and the value of `some_key` was None
if not my_check:
   return False

The detection code directly above will work without modification because my_check is falsey in the old behavior ( my_check had the value of None ) and my_check is falsey in the new behavior ( my_check now returns '' ).

where when deep_get is passed the default= kwarg, and it gets a hit on the search keys where the value of the search key is None

• fix: deep_get should honor default kwarg if the value it retrieves is explicitly None by @edyesed in #672

New Detections

🕵️ new rule: alerts when zoom user toggles off org setting to automatically sign out users after a specified period of time by @andrea-youwakim in #660
🕵️ new detection: zoom rule to alert when user modifies an organization's sign in methods by @andrea-youwakim in #666
🕵️ asana workspace email domain detection by @calkim-panther in #661
🕵️ new detection: adding new detection to alert when a zoom user disables an org's setting to require passcodes for new meetings by @andrea-youwakim in #669
🕵️ new detection: alerts when a zoom user disables an org's setting to sign in with 2fa by @andrea-youwakim in #676

Bug Fixes

🐛 or 🕵️ modify cloudtrail policy for advanced selectors by @calkim-panther in #663
🎵 tune: standard_rule/brute_force_by_ip by @edyesed in #667
🎵 unmanaged detections tuning by @calkim-panther in #625

Miscellaneous

🏠 Added support for dictionary values in DynamoDB by @natezpanther in #653
🏠 Change IPInfo refresh frequency to daily by @debugmiller in #668

Full Changelog: v1.54.0...v2.0.0