v1.7.0

Adding some new rules and a round of documentation & bug fixes.

v1.6.0: Additional gsuite rules (#78)

With this release of panther-analysis (in tandem with Panther v1.6.0) we're excited to announce the open sourcing of our enterprise policies and rules!

These detections apply to a range of security topics such as PCI compliance, identity and access management, operations, and more. Where relevant, we’ve also mapped to the MITRE ATT&CK framework.

Here’s why we decided to open source ALL of our detections:

• Community empowerment. We want all our users, open source and enterprise, to obtain value from Panther. By providing a wider array of policies and rules our users will not only detect more security issues, but also have more examples from which to craft their own custom detections.
• Simplification of updates. Previously, managing the open and closed source detection packs added ongoing management and update overhead for our enterprise customers. By moving everything into one repo, we've majorly simplified this process. Now, you just fork this repo and you're good to go!
• Code consolidation. With the introduction of the global analysis type, we often found ourselves needing to duplicate helper logic between the open source and enterprise repos. This change introduces more shared patterns for teams to utilize!

We look forward to your feedback on these new open source detections, so as always feel free to open issues and merge requests on this repo whenever you find room for improvement!

v1.5.0: ignore service linked role creation (#70)

The updated rules & policies to run with panther v1.5.0!

• #63, #64, #66, #67, #68, and #70 are all about tuning detections to reduce noise
• #62, #65, and #69 are all about fixing rules to reduce errors

The latest version of Panther ships with improved alarming to detect policy & rule errors, so be sure to monitor those CloudWatch alarms to see if your custom (or our out of the box!) policies or rules are erroring.

1.4.0

Another round of updates, mostly minor changes. The main change is the addition of the default panther helper to support more hybrid CLI/web driven workflows.

1.3.0: CloudTrail Rule Updates (#57)

This version brings the default policies and rules up to date with how Panther now handles the global analysis type.

• #56 modifies the global helper to work with multiple globals
• #54 and #55 updates the default global to communicate with a dynamo table deployed in Panther specifically for rules and policies to use as a key/value store
• #52 updates some rules to reflect bug fixes in Panther
• #53 and #57 add additional rules for s3 and CloudTrail respectively

v1.2.0: Updated globals (#49)

This release includes a number of minor changes related to policy and rule tuning and bug fixes, and one large change to adapt to the new globals format.

You'll find the new analysis type global configured in the globals directory. If you were previously using aws_globals in order to share code amongst policies and rules, follow these steps to be compatible with the new format:

1. Copy your code from aws_globals.py into the panther.py file in the globals directory (we advise appending your custom globals to the default ones already present in panther.py)
2. Update all policies and rules from import aws_globals to import panther. Update any usages of the functions found within aws_globals as well.
3. Use the panther_analysis_tool (be sure you're on the latest version) to upload your new globals directory.
4. From within the Panther UI, delete the aws_globals policy or rule

If you were not previously taking advantage of custom globals, no changes are necessary although you may still wish to perform step 4 above, deleting the old aws_globals policy from the Panther web UI.

Globals will be included in both the panther-analysis-policies and panther-analysis-rules packages, as it is shared between policies and rules.

v1.1.1: Update Rule Fields (#36)

Updated all rules to take advantage of the new rule specific fields.

v1.1.0: Metadata Updates (#34)

This is a large change, which renames almost every single policy and changes the tagging conventions on the majority of policies and rules. This is in pursuit of a more standard, cleaner presentation of the analysis that Panther has to offer.

If you wish to upgrade an existing Panther deployment to this latest pack of policies and rules, we highly recommend destroying all policies in the existing deployment before deploying this pack. This is because we are changing all the policy IDs, which means that upgrading will not work as normal.

We try to make changes like this very rarely, but as we have made a lot of changes to the presentation of the newer analysis packs we decided to bring everything up to date in anticipation of the Panther v1 launch.

v1.0.3

Minor patches.

v1.0.2: AWS Rules - DeleteBucket, S3 Insecure Access Fix (#21)

Updating all rules to perform safe lookups in accordance with backend changes to Panther.