Releases: panther-labs/panther-analysis
v3.2.2
What's Changed
๐ต๏ธ New Detections
๐ก Miscellaneous
- Double quote names and IDs the way that bulk download does by @dekatzenel in #724
- Added force ttl check option to kv-table functions by @nhakmiller in #725
- Snowflake queries minor fixes by @andrea-youwakim in #728
- Atlassian impersonation detection display name by @mbellifa in #730
New Contributors
- @dekatzenel made their first contribution in #724
Full Changelog: v3.2.1...v3.2.2
v3.2.1
New Detections
๐ Snowflake Account Admin Assigned Query
๐ Snowflake Brute Force IP Query
๐ Snowflake Brute Force Username Query
๐ Snowflake Login Without MFA Query
๐ต๏ธโโ๏ธ GCP BigQuery Large Scan Detection
๐ต๏ธโโ๏ธ GCP Cloud Storage Bucket Modified or Deleted Detection
๐ต๏ธโโ๏ธ GCP Destructive Queries Detection
๐ต๏ธโโ๏ธ GCP Logging Settings Modified Detection
๐ต๏ธโโ๏ธ Snyk System Policy Change Detection
๐ต๏ธโโ๏ธ Snyk SSO Modified Detection
Full Changelog: v3.2.0...v3.2.1
v3.2.0
What's Changed
๐ต๏ธ New Detections
- new detection: alert when an asana user starts an export for an organization by @andrea-youwakim in #702
- new detection: alert when a zoom user changes an organization's sign in requirements by @andrea-youwakim in #692
๐ Bug Fixes and Tunes
- adding additional logic to drop alert severity to low if outcome is DENY by @andrea-youwakim in #709
๐ก Miscellaneous
- feat: vscode one click debugging by @edyesed in #706
- GCP VPC Flow Logs Disabled and Request Violating VPC Service Controls by @calkim-panther in #707
- Fix/edyesed/ignore aws distributed policies by @edyesed in #710
Full Changelog: v3.1.0...v3.2.0
v3.1.0
What's Changed
๐ต๏ธ New Detections
- new detection: alerts when an asana user changes an organization's password requirements to 'simple' by @andrea-youwakim in #701
- New detection: alert when an asana user makes saml optional for an organization by @andrea-youwakim in #696
- New detection: alerts when asana user disables app approval requirements for an organization by @andrea-youwakim in #697
- Feat: global filter for github log sources by @edyesed in #705
๐ฏ Packs changes
- Asana pack -> New detections
- GitHub pack -> global filter added to pack and detections
๐ Bug Fixes and Tunes
- cloudtrail enabled bugfix by @calkim-panther in #703
๐ก Miscellaneous
Full Changelog: v3.0.1...v3.1.0
v3.0.1
v3.0.0
Why a major version change
We've updated the name of the global helper previously known as panther
to panther_default
.
This change aligns the python module name of the global helper to be the same as the file name which provides the module. With the two names in sync, your IDE's code completion features should be working. If you have already informed your IDE to use global_helpers
as an autocomplete and/or analysis path, no action is needed. If you haven't set that up already, there are some vscode specific examples on #691
New Detections
๐ต๏ธโโ๏ธ new asana service account is created by @andrea-youwakim in #695
Bug Fixes
๐ new format for AWS resource tags by @calkim-panther in #664
Miscellaneous
๐ fix: update panther_default global helper use its file name for IDE happiness by @edyesed in #691
๐ feat: logtype global filter for cloudflare events by @edyesed in #690
๐ fix: sync policyuniverse version to backend by @edyesed in #699
Full Changelog: v2.2.0...v3.0.0
v2.2.0
New Detections
๐ต๏ธโโ๏ธ Add Dropbox Team Member Linked App Rule by @egibs in #687
Bug Fixes
๐ Refactor: slack_user_privilege_escalation by @miotke in #686
๐ Snowflake Query DisplayName Updates by @mbellifa in #682
๐ tuning: high vol events blocked greynoise by @andrea-youwakim in #688
Miscellaneous
๐ Bump PAT version to 0.19.6 by @egibs in #684 & #685
New Contributors
Full Changelog: v2.1.0...v2.2.0
v2.1.0
New Detections
๐ต๏ธโโ๏ธ feat: asana new workspace admin detection by @edyesed in #679
๐ต๏ธ feat: A detection for if a configured github action fails by @edyesed in #681
๐ฏ asana pack by @calkim-panther in #670
๐จโ๐ณ Add IPInfo Privacy enrichment providers by @debugmiller in #680
Bug Fixes
๐ chore: tune out aws config checking on ec2 traffic mirroring by @edyesed in #678
Miscellaneous
๐ Deprecated AWS CloudTrail 2 minute count + detection by @natezpanther in #674
๐ Add helper function for Crowdstrike Detections by @papanikge in #673
Full Changelog: v2.0.1...v2.1.0
v2.0.1
New Detections
Bug Fixes
๐ Update panther_sensitive_role_created.py to handle some NoneTypes by @dotbeseck in #675
Miscellaneous
๐ fix: bump panther_analysis_tool to 0.19.5 for some additional snyk logs by @edyesed in #677
Full Changelog: v2.0.0...v2.0.1
v2.0.0
Why are we upping the major version number to v2?
We received a report and PR from users demonstrating an an unanticipated behavior in the global_helper deep_get
.
The scenario is this
- When deep get is called like this
deep_get(event, 'key_that_might_exist', default=Not_None)
. deep_get
must be called with a default= kwarg whose value is something other than None to enter into the changing behavior.- AND deep_get gets a hit on key_that_might_exist
- AND the value of that key is None
- Old Behavior -> deep_get returns None
- New Behavior -> deep_get returns value of default
This is the scenario where the old behavior and the new behavior lead to different outcomes in a detection:
if event
had the following definition
{
"some_key": null,
"another_key": 1
}
and the detection has this logic
my_check = deep_get(event, 'some_key', default='')
# At this point the value of my_check is None
# because deep_get did find `some_key` in event
# and the value of `some_key` was None
if my_check is None:
return False
Then a detection would be incompatible with the new behavior.
This is a scenario where a detection is compatible with the old and new behavior
event
has the same definition as above
and the detection has this logic
my_check = deep_get(event, 'some_key', default='')
# At this point the value of my_check is None ( because this example uses the old behavior )
# deep_get did find `some_key` in event
# and the value of `some_key` was None
if not my_check:
return False
The detection code directly above will work without modification because my_check is falsey in the old behavior ( my_check
had the value of None
) and my_check is falsey in the new behavior ( my_check
now returns ''
).
where when deep_get is passed the default=
kwarg, and it gets a hit on the search keys where the value of the search key is None
- fix: deep_get should honor default kwarg if the value it retrieves is explicitly None by @edyesed in #672
New Detections
๐ต๏ธ new rule: alerts when zoom user toggles off org setting to automatically sign out users after a specified period of time by @andrea-youwakim in #660
๐ต๏ธ new detection: zoom rule to alert when user modifies an organization's sign in methods by @andrea-youwakim in #666
๐ต๏ธ asana workspace email domain detection by @calkim-panther in #661
๐ต๏ธ new detection: adding new detection to alert when a zoom user disables an org's setting to require passcodes for new meetings by @andrea-youwakim in #669
๐ต๏ธ new detection: alerts when a zoom user disables an org's setting to sign in with 2fa by @andrea-youwakim in #676
Bug Fixes
๐ or ๐ต๏ธ modify cloudtrail policy for advanced selectors by @calkim-panther in #663
๐ต tune: standard_rule/brute_force_by_ip by @edyesed in #667
๐ต unmanaged detections tuning by @calkim-panther in #625
Miscellaneous
๐ Added support for dictionary values in DynamoDB by @natezpanther in #653
๐ Change IPInfo refresh frequency to daily by @debugmiller in #668
Full Changelog: v1.54.0...v2.0.0