Test Managed Schema updates

A release to test updates of managed schemas.
Will be removed once the test is completed.

v1.16.0: Added packs directory

Tuning rules and adding initial detection pack! Change list below

• Updated license (#190)
• Rule Bug Fixes (#191, #193)
• Update to gsuite titles to include relevant document title (#196)
• Add initial detection pack (#192)

v1.15.0: Added DataModels and Standard Rules

Added support for data models as well as a few standard rules that use them! Change list below.

• Added initial set of data models and standard rules (#156)
• Fix some rule logic bugs (#163, #171, #176, #178, #188)
• Updates to rules/policies to use new features and misc cleanup (#161, #169, #172, #173, #175, )
• Update boto connections to optionally be FIPS compliant (#177)
• Initial sync of panther-managed schemas into panther-analysis (#187)

v1.14.0: Added support for IOCs

Added new global helper function to support Indicators of Compromise!

Includes the SolarWinds SUNBURST indicators released by FireEye

Users looking to only update with the new IOCs support can simply use the panther-analysis-iocs.zip included in the release!

v1.13.0: Don't alert if access is denied to S3 putbucket. (#153)

Another round of tuning & bug fixes!

v1.12.0: Added example of regex checking for IAM arns (#144)

More tuning and more rules. Plus some threat hunting scenario data! Change list below.

• Updated some policies to reflect changes in the Panther backend (#1320)
• Refined rule logic to capture more bad behavior (#133, #144)
• Tuning to reduce noise (#135, #136, #139, #145)
• Fixing some rule logic bugs (#138, #140, #142)
• New helpers for interacting with the box sdk (#137). Some additional setup is required to use these!
• Threat hunting demo events! Great for testing out known scenarios and how your team might react to them (#141, #143)

v1.10.0: box initial ruleset (#127)

Lots of good new stuff, including a slew of bug fixes and noise reduction. The big new features are:

• Rules for OneLogin and Box
• Add the new SummaryAttributes field to all rules
• Simplifying rules by:
  • Omitting the dedup function when the title function is sufficient
  • Using the Threshold field to simplify basic stateful detections

We highly recommend updating to take advantage of these new features!

v1.7.0

Adding some new rules and a round of documentation & bug fixes.

v1.6.0: Additional gsuite rules (#78)

With this release of panther-analysis (in tandem with Panther v1.6.0) we're excited to announce the open sourcing of our enterprise policies and rules!

These detections apply to a range of security topics such as PCI compliance, identity and access management, operations, and more. Where relevant, we’ve also mapped to the MITRE ATT&CK framework.

Here’s why we decided to open source ALL of our detections:

• Community empowerment. We want all our users, open source and enterprise, to obtain value from Panther. By providing a wider array of policies and rules our users will not only detect more security issues, but also have more examples from which to craft their own custom detections.
• Simplification of updates. Previously, managing the open and closed source detection packs added ongoing management and update overhead for our enterprise customers. By moving everything into one repo, we've majorly simplified this process. Now, you just fork this repo and you're good to go!
• Code consolidation. With the introduction of the global analysis type, we often found ourselves needing to duplicate helper logic between the open source and enterprise repos. This change introduces more shared patterns for teams to utilize!

We look forward to your feedback on these new open source detections, so as always feel free to open issues and merge requests on this repo whenever you find room for improvement!

v1.5.0: ignore service linked role creation (#70)

The updated rules & policies to run with panther v1.5.0!

• #63, #64, #66, #67, #68, and #70 are all about tuning detections to reduce noise
• #62, #65, and #69 are all about fixing rules to reduce errors

The latest version of Panther ships with improved alarming to detect policy & rule errors, so be sure to monitor those CloudWatch alarms to see if your custom (or our out of the box!) policies or rules are erroring.