Releases: panther-labs/panther-analysis
Releases · panther-labs/panther-analysis
v3.69.0
What's Changed
🕵️ New Detections
- Stratus AWS Logging Detections by @ben-githubs in #1437
- Add CrowdStrike Event Streams Passthrough Rule by @ben-githubs in #1442
🐛 Bug Fixes and Tunes
- Wiz.Alert.Passthrough: New Dedup Logic by @ben-githubs in #1438
- Tune EKS Anonymous API Access Detection Rule (#1405) by @arielkr256 in #1433
- Update Email Regex by @arielkr256 in #1440
- Remove Snowflake.Stream.AttemptedLoginByDisabledUser and assc. query by @ben-githubs in #1444
- Fix Dedup Period for Crowdstrike.Detection.passthrough by @ben-githubs in #1445
🏡 Miscellaneous
- build(deps): bump step-security/harden-runner from 2.10.1 to 2.10.2 by @dependabot in #1434
- PantherFlow Investigator Helper by @arielkr256 in #1436
- Add get_user to AWS datamodel by @arielkr256 in #1441
- Introduce data model unit tests by @arielkr256 in #1443
Full Changelog: v3.68.0...v3.69.0
v3.68.0
What's Changed
🕵️ New Detections
- THREAT-403 Create rules for User, Administrator, and Role Management based on test cases by @akozlovets098 in #1415
- s3 bucket confused deputy attack by @bcpenta in #1416
- THREAT-318: Standard.SignInFromRogueState by @ben-githubs in #1426
- THREAT-411 ZIA AdminAuditRules - Password, Log, Backup by @akozlovets098 in #1425
🔍️️ New Queries
- Adding Some Snowflake Behavioral/Anomaly Scheduled Queries by @ben-githubs in #1408
- Okta AD/LDAP Delegated Authentication - Username Above 52 Characters Security Advisory by @arielkr256 in #1428
🐛 Bug Fixes and Tunes
- fixing ruleID typo on gcp_k8s_pod_create_or_modify_host_path_vol_mount.yml by @jzandona in #1418
- ASK-928 tuning Zendesk.UserRoleChanged by @akozlovets098 in #1421
- Refactor
panther_azuresignin_helpers.actor_user
to use importeddeep_get
by @ben-githubs in #1422 - Fix Standard.SignInFromRogueState for Unenriched Events by @ben-githubs in #1431
- THREAT-408
Notion.Many.Pages.Deleted
-> Scheduled Rule by @ben-githubs in #1423
🏡 Miscellaneous
- Release v3.67 by @le4ker in #1398
- Prep for v3.68 by @arielkr256 in #1412
- Update CONTRIBUTING.md by @le4ker in #1420
- Update TrailDiscover data by @akozlovets098 in #1424
- Make check-packs action work by @ben-githubs in #1427
Full Changelog: v3.67.0...v3.68.0
v3.67.0
What's Changed
⚠️ Potentially Breaking Changes
- Helper reorg by @arielkr256 in #1380
🕵️ New Detections
- ThinkstCanary Rules by @arielkr256 in #1391
⛅️️ New Policies
🔍️️ New Queries
- Migrate
AthenaQuery
andSnowflakeQuery
to justQuery
by @ben-githubs in #1392
🐛 Bug Fixes and Tunes
- Clean up GitHub rule by @jacknagz in #1366
- Allow 'applicationName=login
for
GSuite.ExternalMailForwarding` by @ben-githubs in #1395 - ASK-833
GSuite.Drive.ExternalFileShare
sender-receiver pairs in EXCEPTION_PATTERN by @akozlovets098 in #1394 - Update gsuite_workspace_calendar_external_sharing.py by @dvaliotis in #1406
🏡 Miscellaneous
- Prepare for
v3.64.0
by @arielkr256 in #1357 - 3.65 Release by @le4ker in #1371
- THREAT-395 Correlation Rule Style Guide in repo by @akozlovets098 in #1376
- Update Internal Automations by @ben-githubs in #1396
- Update PAT to
0.54.0
, and minor change to test action by @ben-githubs in #1397 - Update style guide reference by @emmanuel-ferdman in #1400
New Contributors
- @bcpenta made their first contribution in #1393
- @dvaliotis made their first contribution in #1406
- @emmanuel-ferdman made their first contribution in #1400
Full Changelog: v3.66.0...v3.67.0
v3.66.0
What's Changed
🕵️ New Detections
- new rule: GCP.User.Added.To.Privileged.Group by @ben-githubs in #1378
🐛 Bug Fixes and Tunes
- Remove deprecated rules by @ben-githubs in #1369
- Configure
lint-mitre
to ignore schema test files by @ben-githubs in #1381 - Delete 'Snowflake.PublicRoleGrant' & query by @ben-githubs in #1386
🏡 Miscellaneous
- Format Sublime YAML files by @le4ker in #1373
- build(deps): bump docker/setup-buildx-action from 3.6.1 to 3.7.0 by @dependabot in #1375
- build(deps): bump docker/setup-buildx-action from 3.7.0 to 3.7.1 by @dependabot in #1377
- THREAT-397 Reformat deep_get(event to event.deep_get( by @akozlovets098 in #1374
- build(deps): bump actions/checkout from 4.1.7 to 4.2.1 by @dependabot in #1379
- Fix linter error in gsuite_workspace_calendar_external_sharing.py by @le4ker in #1383
- build(deps): bump thollander/actions-comment-pull-request from 2.5.0 to 3.0.0 by @dependabot in #1385
- Add AlertTitle to rule_jsonschema.json by @geoffg-sentry in #1384
Full Changelog: v3.65.0...v3.66.0
v3.65.0
What's Changed
🕵️ New Detections
- THREAT-387 Sublime Security Rules by @akozlovets098 in #1356
- Slack.AuditLogs.ApplicationDoS -> threshold rule by @akozlovets098 in #1349
🔍️️ New Queries
- Issue 1367: Reformat YAML to Always Use Literal Block for Query Text by @ben-githubs in #1370
🌯 New Packs and Pack Expansion
- Add Unpacked Items to Packs by @ben-githubs in #1361
🐛 Bug Fixes and Tunes
- Fix issue 466: Add mock to rule test by @arielkr256 in #1364
- Fix issue 439: AccountId case by @arielkr256 in #1365
- Fix issue 468: Zendesk severity override by @arielkr256 in #1363
- fix - IAM User takeover Correlation Rule correlating on IP instead of user by @akozlovets098 in #1362
- Filter out Intelsat satellite network plane wifi from Impossible Travel by @geoffg-sentry in #1358
🏡 Miscellaneous
- Add Format Checker for MITRE ATT&CK Matrix Report Mappings by @ben-githubs in #1360
- test with api by @arielkr256 in #1355
- build(deps): bump actions/checkout from 4.1.7 to 4.2.0 by @dependabot in #1368
- Merge changes from main to release by @le4ker in #1372
Full Changelog: v3.64.0...v3.65.0
v3.64.0
What's Changed
🕵️ New Detections
- Wiz audit rules by @akozlovets098 in #1323
🔍️️ New Queries
- Remove Multi-Table Queries from Packs by @ben-githubs in #1353
🗓️️ Scheduled Rules
- THREAT-354 Converting caching rules to correlation by @akozlovets098 in #1348
- more correlation rules from AWS re:inforce by @arielkr256 in #1289
🏡 Miscellaneous
- Prepare for
v3.62.0
by @arielkr256 in #1338 - Prepare for 3.63.0 by @akozlovets098 in #1350
- build(deps): bump step-security/harden-runner from 2.9.1 to 2.10.1 by @dependabot in #1352
- Refreshing Contributing Guidelines by @arielkr256 in #1344
- validate and upload on PRs by @arielkr256 in #1351
- Validate on PR approval by @arielkr256 in #1354
Full Changelog: v3.63.0...v3.64.0
v3.63.0
What's Changed
🐛 Bug Fixes and Tunes
- AWS SAML Activity Tuning by @arielkr256 in #1341
- Tuning Snyk Rules by @arielkr256 in #1340
- Update Pack Manifests with Data Models and Globals by @ben-githubs in #1342
- added get_actor_user method to data model by @biancafu-panther in #1343
- Add Missing Pack Items by @ben-githubs in #1345
🏡 Miscellaneous
- build(deps): bump actions/setup-python from 5.1.1 to 5.2.0 by @dependabot in #1339
New Contributors
- @biancafu-panther made their first contribution in #1343
Full Changelog: v3.62.0...v3.63.0
v3.62.0
What's Changed
🏡 Miscellaneous
- Prepare for
v3.61.0
by @arielkr256 in #1321 - Remove deprecated IOC helpers by @arielkr256 in #1325
- Info Alerts are Signals, Nonrouted by @arielkr256 in #1328
- New Rules: CS EventStream Audit Events by @ben-githubs in #1307
- Okta rate limit tuning by @arielkr256 in #1329
- traffic mirroring tuning by @arielkr256 in #1330
- GCP K8S tuning by @arielkr256 in #1331
- Missing MITRE ATT&CK tactics by @arielkr256 in #1322
- tuning Wiz Alert Passthrough rule by @arielkr256 in #1326
- Improve GitHub Webhook Modified rule by @geoffg-sentry in #1324
- Add Dynamic Severity to AWS.CloudTrail.SnapshotMadePublic by @ben-githubs in #1333
- Fix Unit Tests Failing in Pypanther by @ben-githubs in #1335
- Convert to Signals by @arielkr256 in #1336
- THREAT 371: Slack Anomaly Detection Tuning by @ben-githubs in #1334
- PAT update v0.52.1 by @arielkr256 in #1337
Full Changelog: v3.61.0...v3.62.0
v3.61.0
What's Changed
🏡 Miscellaneous
- Releasing performance improvements by @nhakmiller in #1305
- Update rule_jsonschema.json by @chrisarav in #1306
- build(deps): bump docker/setup-buildx-action from 3.5.0 to 3.6.1 by @dependabot in #1309
- UDM safe lookups by @nhakmiller in #1311
- Minor typo fix in displayname, potentiall -> potentially by @kjihso in #1312
- Add Github Dependabot Alert Dismissed Rule by @elimgh in #1310
- added default values to get/deep_get by @arielkr256 in #1313
- AWS Compromised Service Role - CR -> Scheduled Rule by @arielkr256 in #1315
- GitHub Advanced Security Change WITHOUT Repo Archived - Sequence to Group CR by @arielkr256 in #1314
- build(deps): bump step-security/harden-runner from 2.9.0 to 2.9.1 by @dependabot in #1317
- Update again gcp_k8s_cron_job_created_or_modified.yml by @chrisarav in #1318
- Prepare for
3.60.0
by @akozlovets098 in #1319 - CR upload fixes by @arielkr256 in #1320
New Contributors
- @chrisarav made their first contribution in #1306
- @elimgh made their first contribution in #1310
Full Changelog: v3.59.0...v3.60.0
Full Changelog: v3.60.0...v3.61.0
v3.59.0
What's Changed
🏡 Miscellaneous
- Prepare for 3.58 by @ben-githubs in #1299
- Add entity JSON object to Slack Privilege Escalation tests by @bmbeverst in #1300
- Update rates by @nhakmiller in #1301
- Bump rate minutes more by @nhakmiller in #1302
Full Changelog: v3.58.0...v3.59.0