Merge branch 'develop' into bp/eks-anonymous

Author: arielkr256

.github/workflows/check-deprecated.yml

@@ -21,14 +21,14 @@ jobs:
             github.com:443
             pypi.org:443
       - name: Checkout panther-analysis
-        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 #v4.2.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2
 
       - name: Fetch Release
         run: |
           git fetch --depth=1 origin develop
 
       - name: Set python version
-        uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 #v5.2.0
+        uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b #v5.3.0
         with:
           python-version: "3.11"
 

.github/workflows/check-mitre.yml

@@ -19,10 +19,10 @@ jobs:
             github.com:443
             pypi.org:443
       - name: Checkout panther-analysis
-        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 #v4.2.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2
 
       - name: Set python version
-        uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 #v5.2.0
+        uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b #v5.3.0
         with:
           python-version: "3.11"
 

.github/workflows/check-packs.yml

@@ -25,10 +25,10 @@ jobs:
             pypi.org:443
 
       - name: Checkout panther-analysis
-        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 #v4.2.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2
 
       - name: Set python version
-        uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 #v5.2.0
+        uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b #v5.3.0
         with:
           python-version: "3.11"
 

.github/workflows/docker.yml

@@ -27,7 +27,7 @@ jobs:
             registry-1.docker.io:443
             www.python.org:443
       - name: Checkout panther-analysis
-        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 #v4.2.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2
       - uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf #v3.2.0
       - name: Set up Docker Buildx
         id: buildx

.github/workflows/lint.yml

@@ -19,10 +19,10 @@ jobs:
             github.com:443
             pypi.org:443
       - name: Checkout panther-analysis
-        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 #v4.2.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2
 
       - name: Set python version
-        uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 #v5.2.0
+        uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b #v5.3.0
         with:
           python-version: "3.11"
 

.github/workflows/pre-release-upload.yml

@@ -0,0 +1,43 @@
+on:
+  pull_request_review:
+    types: [submitted]
+
+permissions:
+  contents: read
+
+jobs:
+  upload:
+    if: github.head_ref == 'main'
+    name: Pre-Release Upload to GA
+    runs-on: ubuntu-latest
+    env:
+      API_HOST: ${{ secrets.GA_API_HOST }}
+      API_TOKEN: ${{ secrets.GA_API_TOKEN }}
+    steps:
+      - uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+        with:
+          egress-policy: audit
+          
+      - name: Validate Secrets
+        if: ${{ env.GA_API_HOST == '' || env.GA_API_TOKEN == '' }}
+        run: |
+          echo "API_HOST or API_TOKEN not set"
+          exit 0
+
+      - name: Checkout panther-analysis
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2
+
+      - name: Set python version
+        uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b #v5.3.0
+        with:
+          python-version: "3.11"
+
+      - name: Install pipenv
+        run: pip install pipenv
+
+      - name: Setup venv
+        run: make venv
+
+      - name: upload
+        run: |
+          pipenv run panther_analysis_tool upload --api-host ${{ env.GA_API_HOST }} --api-token ${{ env.GA_API_TOKEN }}

.github/workflows/release.yml

@@ -18,7 +18,7 @@ jobs:
       - uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
         with:
           egress-policy: audit
-      - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 #v4.2.1
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2
         with:
           fetch-depth: 0
           token: ${{ env.GITHUB_TOKEN }}
@@ -29,7 +29,7 @@ jobs:
           aws-region: ${{ secrets.AWS_REGION }}
           role-session-name: panther-analysis-release
       - name: Install Python
-        uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 #v5.2.0
+        uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b #v5.3.0
         with:
           python-version: "3.11"
       - name: Create new panther-analysis release

.github/workflows/sync-from-upstream.yml

@@ -37,7 +37,7 @@ jobs:
           branch: "sync_upstream_${{steps.set_upstream.outputs.latest-release}}"
       # Checkout this repo into the branch
       - name: Checkout your local repo in PR branch
-        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 #v4.2.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2
         with:
           ref: "sync_upstream_${{steps.set_upstream.outputs.latest-release}}"
           token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/test.yml

@@ -6,6 +6,35 @@ permissions:
 
 jobs:
   test:
+    if: github.event.pull_request.head.repo.fork == true
+    name: Test
+    runs-on: ubuntu-latest
+    steps:
+      - uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+        with:
+          disable-sudo: true
+          egress-policy: audit
+          
+      - name: Checkout panther-analysis
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2
+
+      - name: Set python version
+        uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b #v5.3.0
+        with:
+          python-version: "3.11"
+
+      - name: Install pipenv
+        run: pip install pipenv
+
+      - name: Setup venv
+        run: make venv
+
+      - name: test
+        run: |
+          pipenv run panther_analysis_tool test --show-failures-only
+
+  test-authenticated:
+    if: github.event.pull_request.head.repo.fork == false
     name: Test
     runs-on: ubuntu-latest
     env:
@@ -24,10 +53,10 @@ jobs:
           exit 0
           
       - name: Checkout panther-analysis
-        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 #v4.2.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2
 
       - name: Set python version
-        uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 #v5.2.0
+        uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b #v5.3.0
         with:
           python-version: "3.11"
 

.github/workflows/upload.yml

@@ -25,10 +25,10 @@ jobs:
           exit 0
 
       - name: Checkout panther-analysis
-        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 #v4.2.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2
 
       - name: Set python version
-        uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 #v5.2.0
+        uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b #v5.3.0
         with:
           python-version: "3.11"
 

.github/workflows/validate.yml

@@ -7,7 +7,7 @@ permissions:
 
 jobs:
   validate:
-    if: github.event.review.state == 'approved'
+    if: github.event.review.state == 'approved' && github.event.pull_request.head.repo.fork == false
     name: Validate
     runs-on: ubuntu-latest
     env:
@@ -24,10 +24,10 @@ jobs:
           exit 0
 
       - name: Checkout panther-analysis
-        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 #v4.2.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2
 
       - name: Set python version
-        uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 #v5.2.0
+        uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b #v5.3.0
         with:
           python-version: "3.11"
 

CONTRIBUTING.md

@@ -8,7 +8,7 @@ Please familiarize yourself with these helpful resources on writing high-quality
 
 - The blog post Panther's founder, Jack Naglieri, wrote on [The Anatomy of a High Quality SIEM Rule](https://jacknaglieri.substack.com/p/hq-siem-rules)
 - Panther's [Detection Documentation](https://docs.panther.com/detections)
-- The `panther-analysis` [Style Guide](https://github.com/panther-labs/panther-analysis/blob/main/STYLE_GUIDE.md)
+- The `panther-analysis` [Style Guide](https://github.com/panther-labs/panther-analysis/blob/main/style_guides/STYLE_GUIDE.md)
 
 Especially excellent contributions will be considered for a quarterly prize! We will announce a winner in the **Panther-Analysis Seasonal Newsletter**, where we share updates and celebrate contributions to Panther’s open-source ruleset.
 

Makefile

@@ -1,4 +1,4 @@
-dirs := $(shell ls | egrep 'policies|rules|helpers|models|templates|queries' | xargs)
+dirs := $(shell ls | egrep 'policies|rules|global_helpers|models|templates|queries' | xargs)
 UNAME := $(shell uname)
 TEST_ARGS :=
 

global_helpers/panther_aws_helpers.py

@@ -49,6 +49,7 @@ def aws_guardduty_context(event: dict):
         "type": event.get("type", "<MISSING TYPE>"),
         "resource": event.get("resource", {}),
         "service": event.get("service", {}),
+        "accountId": event.get("accountId", "<MISSING ACCOUNT ID>"),
     }
 
 

packs/aws.yml

@@ -133,6 +133,7 @@ PackDefinition:
     - AWS.WAF.Disassociation
     - AWS.WAF.HasXSSPredicate
     - AWS.WAF.LoggingConfigured
+    - AWS.WAF.WebACLHasAssociatedResources
     # Other rules
     - AWS.CloudTrail.Account.Discovery
     - AWS.CloudTrail.CloudWatchLogs

policies/aws_waf_policies/aws_waf_webacl_has_associated_resources.py

@@ -0,0 +1,4 @@
+def policy(resource):
+    # Check if the WebACL has any associated resources
+    associations = resource.get("AssociatedResources", [])
+    return len(associations) > 0

policies/aws_waf_policies/aws_waf_webacl_has_associated_resources.yml

@@ -0,0 +1,50 @@
+AnalysisType: policy
+Filename: aws_waf_webacl_has_associated_resources.py
+PolicyID: "AWS.WAF.WebACLHasAssociatedResources"
+DisplayName: "AWS WAF WebACL Has Associated Resources"
+Enabled: true
+ResourceTypes:
+  - AWS.WAF.Regional.WebACL
+  - AWS.WAF.WebACL
+Tags:
+  - AWS
+  - Security Control
+  - Optimization
+Severity: Medium
+Description: >
+  This policy ensures that AWS WAF WebACLs are associated with at least one resource (ALB, CloudFront Distribution, or API Gateway). If a WebACL is not associated with any resources, it is inactive and not providing any protection.
+Runbook: >
+  Associate the WAF WebACL with at least one resource, such as an Application Load Balancer (ALB), CloudFront Distribution, or API Gateway. WebACLs that are not associated with resources do not protect any traffic.
+Reference: https://docs.aws.amazon.com/waf/latest/developerguide/web-acl-associate.html
+Tests:
+  - Name: WebACL Associated with Resources
+    ExpectedResult: true
+    Resource:
+      {
+        "ResourceType": "AWS.WAF.WebACL",
+        "AssociatedResources":
+          [
+            "arn:aws:elasticloadbalancing:us-west-2:123456789012:loadbalancer/app/my-app",
+            "arn:aws:cloudfront::123456789012:distribution/EXAMPLE"
+          ]
+      }
+
+  - Name: WebACL Not Associated with Resources
+    ExpectedResult: false
+    Resource:
+      {
+        "ResourceType": "AWS.WAF.WebACL",
+        "AssociatedResources": []
+      }
+
+  - Name: WebACL Associated with Single Resource
+    ExpectedResult: true
+    Resource:
+      {
+        "ResourceType": "AWS.WAF.WebACL",
+        "AssociatedResources":
+          [
+            "arn:aws:elasticloadbalancing:us-west-2:123456789012:loadbalancer/app/my-app"
+          ]
+      } 
+      

rules/gsuite_activityevent_rules/gsuite_workspace_calendar_external_sharing.py

@@ -18,5 +18,5 @@ def title(event):
         f"GSuite workspace setting for default calendar sharing was changed by "
         f"[{event.deep_get('actor', 'email', default='<UNKNOWN_EMAIL>')}] "
         + f"from [{event.deep_get('parameters', 'OLD_VALUE', default='<NO_OLD_SETTING_FOUND>')}] "
-        + "to [{event.deep_get('parameters', 'NEW_VALUE', default='<NO_NEW_SETTING_FOUND>')}]"
+        + f"to [{event.deep_get('parameters', 'NEW_VALUE', default='<NO_NEW_SETTING_FOUND>')}]"
     )