Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove deprecated rules #1369

Merged
merged 16 commits into from
Oct 7, 2024
Merged

Remove deprecated rules #1369

merged 16 commits into from
Oct 7, 2024

Conversation

ben-githubs
Copy link
Contributor

@ben-githubs ben-githubs commented Sep 26, 2024
edited
Loading

Background

A number of rules in Panther are deprecated and not encouraged to be used. We have previously marked them as deprecated, but haven't had a good way to actually remove them from the repo without leaving orphaned versions on each customer's remote instance.

This PR creates a deprecated.txt file containing the RuleIDs of all rules we've removed. Customers can use this file to remove deprecated rules from their instances with:

make remove-deprecated

Additionally, we've added another make target, make check-deprecated, which is used in the new check-deprecated Action. This action checks the current branch/PR against release and determines if any rules have been removed recently and not added to deprecated.txt. The primary purpose of this Action is for our use as we clean up old rules moving forward to ensure we're tracking anything we delete.

Changes

  • removed all rules marked as deprecated
  • added a deprecated.txt file and appended the rule IDs of all the deleted rules
  • added a script to check for deleted rules, and to delete anything listed in deprecated.txt
  • added a GitHub Action to check for any deleted rules in a PR that aren't added to deprecated.txt

Testing

  • make test, pat validate, and pat upload all worked successfully.
  • made a test branch to confirm the check-deprecated workflow works as expected
  • ran make remove-deprecated to delete rules from a test Panther backend

@ben-githubs ben-githubs requested a review from a team as a code owner September 26, 2024 18:29
@jacknagz
Copy link
Contributor

Love it. Do you know if we need also to do this with older IoCs?

@ben-githubs
Copy link
Contributor Author

@jacknagz yeah, removing old IoCs was one of the motivators for this! We already have several IoC rules marked as deprecated that got cleaned out in this PR

@arielkr256 arielkr256 added the tuning detection tuning label Sep 30, 2024
@arielkr256 arielkr256 enabled auto-merge (squash) October 7, 2024 15:13
@arielkr256 arielkr256 merged commit a61a96f into release Oct 7, 2024
9 checks passed
@arielkr256 arielkr256 deleted the THREAT-370/remove-deprecate-rules branch October 7, 2024 15:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@arielkr256 arielkr256 arielkr256 approved these changes

Assignees
No one assigned
Labels
tuning detection tuning
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@ben-githubs @jacknagz @arielkr256