consistency nit fixes (#1235)

* consistency nit fixes

* - somethings -> some things

.github/workflows/check-packs.yml

@@ -33,8 +33,8 @@ jobs:
         with:
           mode: upsert
           message: |
-            :scream: 
-            looks like somethings could be wrong with the packs
+            :scream:
+            looks like some things could be wrong with the packs
             ```diff
             ${{ steps.check-packs.outputs.errors }}
           comment_tag: check-packs
@@ -44,8 +44,8 @@ jobs:
         with:
           mode: delete
           message: |
-            :scream: 
-            looks like somethings could be wrong with the packs
+            :scream:
+            looks like some things could be wrong with the packs
             ```diff
             ${{ steps.check-packs.outputs.errors }}
           comment_tag: check-packs

Dockerfile

@@ -56,5 +56,5 @@ RUN npm install
 ENV PATH="/home/panther-analysis/node_modules/.bin:$PATH"
 
 # Remove pipfile so it doesn't interfere with local files after install
-RUN rm Pipfile 
+RUN rm Pipfile
 RUN rm Pipfile.lock

Makefile

@@ -18,7 +18,7 @@ vscode-config: install-pipenv install
 	@echo "Creating new vscode config files"
 	cp .vscode/example_launch.json  .vscode/launch.json
 	sed -e 's#XXX_pipenv_py_output_XXX#$(shell pipenv --py)#' .vscode/example_settings.json  > .vscode/settings.json
-	which code && code . 
+	which code && code .
 
 ci:
 	pipenv run $(MAKE) lint test

global_helpers/global_filter_auth0.yml

@@ -6,6 +6,6 @@ Description: >
 
   This filter defines if events should be included or excluded.
 
-  You can change the definition of this filter to work in your own environment. 
-  Panther will not change the filter definition, and should not create 
+  You can change the definition of this filter to work in your own environment.
+  Panther will not change the filter definition, and should not create
   merge conflicts.

global_helpers/global_filter_azuresignin.yml

@@ -6,6 +6,6 @@ Description: >
 
   This filter defines if events should be included or excluded.
 
-  You can change the definition of this filter to work in your own environment. 
-  Panther will not change the filter definition, and should not create 
+  You can change the definition of this filter to work in your own environment.
+  Panther will not change the filter definition, and should not create
   merge conflicts.

global_helpers/global_filter_cloudflare.yml

@@ -6,6 +6,6 @@ Description: >
 
   This filter defines if events should be included or excluded.
 
-  You can change the definition of this filter to work in your own environment. 
-  Panther will not change the filter definition, and should not create 
+  You can change the definition of this filter to work in your own environment.
+  Panther will not change the filter definition, and should not create
   merge conflicts.

global_helpers/global_filter_github.yml

@@ -6,6 +6,6 @@ Description: >
 
   This filter defines if events should be included or excluded.
 
-  You can change the definition of this filter to work in your own environment. 
-  Panther will not change the filter definition, and should not create 
+  You can change the definition of this filter to work in your own environment.
+  Panther will not change the filter definition, and should not create
   merge conflicts.

global_helpers/global_filter_notion.yml

@@ -6,6 +6,6 @@ Description: >
 
   This filter defines if events should be included or excluded.
 
-  You can change the definition of this filter to work in your own environment. 
-  Panther will not change the filter definition, and should not create 
+  You can change the definition of this filter to work in your own environment.
+  Panther will not change the filter definition, and should not create
   merge conflicts.

global_helpers/global_filter_snyk.yml

@@ -6,6 +6,6 @@ Description: >
 
   This filter defines if events should be included or excluded.
 
-  You can change the definition of this filter to work in your own environment. 
-  Panther will not change the filter definition, and should not create 
+  You can change the definition of this filter to work in your own environment.
+  Panther will not change the filter definition, and should not create
   merge conflicts.

global_helpers/global_filter_tailscale.yml

@@ -6,6 +6,6 @@ Description: >
 
   This filter defines if events should be included or excluded.
 
-  You can change the definition of this filter to work in your own environment. 
-  Panther will not change the filter definition, and should not create 
+  You can change the definition of this filter to work in your own environment.
+  Panther will not change the filter definition, and should not create
   merge conflicts.

global_helpers/global_filter_tines.yml

@@ -6,6 +6,6 @@ Description: >
 
   This filter defines if events should be included or excluded.
 
-  You can change the definition of this filter to work in your own environment. 
-  Panther will not change the filter definition, and should not create 
+  You can change the definition of this filter to work in your own environment.
+  Panther will not change the filter definition, and should not create
   merge conflicts.

queries/aws_queries/cloudtrail_password_spraying_query.yml

@@ -4,7 +4,7 @@ Enabled: false
 Description: >
   Detect password spraying in cloudtrail logs
 AthenaQuery: >
-  /* athena query not supported */ 
+  /* athena query not supported */
   SELECT count(1)
 SnowflakeQuery: >
   SELECT
@@ -18,7 +18,7 @@ SnowflakeQuery: >
   FROM
     panther_logs.public.aws_cloudtrail
   WHERE
-    p_occurs_since(3600) 
+    p_occurs_since(3600)
     AND
     eventtype = 'AwsConsoleSignIn'
     AND

queries/aws_queries/ec2_crud_activity_by_role_query.yml

@@ -4,18 +4,18 @@ Enabled: false
 Description: >
   This query searches for CRUD activity in EC2 by role arn. Activities from a role outside typical deployment processes may warrant investigation.
 AthenaQuery: >
-  /* athena query not supported */ 
+  /* athena query not supported */
   SELECT count(1)
 SnowflakeQuery: >
-  SELECT 
+  SELECT
     count(*) as num_logs,
-    recipientAccountId, 
-    userIdentity:arn as arn, 
-    eventName, 
+    recipientAccountId,
+    userIdentity:arn as arn,
+    eventName,
     eventSource
   FROM panther_logs.public.aws_cloudtrail
-  WHERE 
-    eventSource = 'ec2.amazonaws.com' 
+  WHERE
+    eventSource = 'ec2.amazonaws.com'
     AND eventName LIKE '%Image%'
     AND eventName NOT LIKE '%Describe%'
     AND p_occurs_since('3 day')

queries/aws_queries/ec2_crud_activity_by_useragent_query.yml

@@ -4,18 +4,18 @@ Enabled: false
 Description: >
   This query searches for CRUD activity in EC2 by userAgent. A low count or previously unseen useragent may indicate that the action was not performed by an automated process.
 AthenaQuery: >
-  /* athena query not supported */ 
+  /* athena query not supported */
   SELECT count(1)
 SnowflakeQuery: >
-  SELECT 
+  SELECT
     count(*) as num_logs,
-    recipientAccountId, 
-    userAgent, 
-    eventName, 
+    recipientAccountId,
+    userAgent,
+    eventName,
     eventSource
   FROM panther_logs.public.aws_cloudtrail
-  WHERE 
-    eventSource = 'ec2.amazonaws.com' 
+  WHERE
+    eventSource = 'ec2.amazonaws.com'
     AND eventName LIKE '%Image%'
     AND eventName NOT LIKE '%Describe%'
     AND p_occurs_since('3 day')

queries/aws_queries/vpc_dns_tunneling_query.yml

@@ -4,7 +4,7 @@ Enabled: false
 Description: >
   Detect activity similar to DNS tunneling traffic in AWS VPC Logs
 AthenaQuery: >
-  /* athena query not supported */ 
+  /* athena query not supported */
   SELECT count(1)
 SnowflakeQuery: >
   SELECT

queries/crowdstrike_queries/CrowdStrike_Large_Zip_Creation.yml

@@ -5,9 +5,9 @@ Query: |
   select
     ppr.commandline as parent_commandline,
     zip_proc.*
-  from 
+  from
     (
-    select 
+    select
       zips.*,
       pr2.targetprocessid as process_targetpid,
       pr2.parentprocessid as process_parentpid,
@@ -18,7 +18,7 @@ Query: |
           *
         from
           panther_logs.public.crowdstrike_unknown
-        where 
+        where
           event_simpleName IN (
             'GzipFileWritten',
             'SevenZipFileWritten',
@@ -30,12 +30,12 @@ Query: |
       ) zips
       left join panther_logs.public.crowdstrike_processrollup2 pr2
       on zips.ContextProcessId = pr2.targetprocessid
-      
-      where 
+
+      where
       pr2.commandline like any(
         '%zip%'
       )
-      
+
       and not (
         pr2.commandline like any (
           '%curl%',
@@ -47,9 +47,9 @@ Query: |
     ) zip_proc
     LEFT JOIN panther_logs.public.crowdstrike_processrollup2 ppr
     on zip_proc.process_parentpid = ppr.targetprocessid
-  where 
+  where
     (
-      (parent_commandline is null) or 
+      (parent_commandline is null) or
       not (parent_commandline like any (
         '%homebrew%',
         '%Homebrew%',

queries/crowdstrike_queries/CrowdStrike_Large_Zip_Creation_FDREvent.yml

@@ -8,9 +8,9 @@ Query: |
   select
     ppr.event:CommandLine as parent_commandline,
     zip_proc.*
-  from 
+  from
     (
-    select 
+    select
       zips.*,
       pr2.event:TargetProcessId as process_targetpid,
       pr2.event:ParentProcessId as process_parentpid,
@@ -21,7 +21,7 @@ Query: |
           *
         from
           panther_logs.public.crowdstrike_fdrevent
-        where 
+        where
           event_simpleName IN (
             'GzipFileWritten',
             'SevenZipFileWritten',
@@ -33,12 +33,12 @@ Query: |
       ) zips
       left join panther_logs.public.crowdstrike_fdrevent pr2
       on zips.ContextProcessId = pr2.TargetProcessId_decimal and pr2.fdr_event_type = 'ProcessRollup2'
-      
-      where 
+
+      where
       pr2.event:CommandLine like any(
         '%zip%'
       )
-      
+
       and not (
         pr2.event:CommandLine like any (
           '%curl%',
@@ -50,7 +50,7 @@ Query: |
     ) zip_proc
     LEFT JOIN panther_logs.public.crowdstrike_fdrevent ppr
     on zip_proc.process_parentpid = ppr.TargetProcessId_decimal and ppr.fdr_event_type = 'ProcessRollup2'
-  where 
+  where
     (
       (parent_commandline is null) or
       not (parent_commandline like any (

queries/crowdstrike_queries/MacOS_Browser_Credential_Access.yml

@@ -2,11 +2,11 @@ AnalysisType: scheduled_query
 Description: Detects processes that contain known browser credential files in arguments.
 Enabled: false
 Query: |
-  SELECT 
+  SELECT
     *
-  FROM 
+  FROM
     panther_logs.public.crowdstrike_processrollup2
-  WHERE 
+  WHERE
     commandline LIKE ANY (
       '%/Users/%/Library/Application Support/Google/Chrome/Default/Login Data%',
       '%/Users/%/Library/Application Support/Google/Chrome/Default/Cookies%',

queries/crowdstrike_queries/MacOS_Browser_Credential_Access_FDREvent.yml

@@ -5,10 +5,10 @@ AnalysisType: scheduled_query
 Description: Detects processes that contain known browser credential files in arguments. (crowdstrike_fdrevent table)
 Enabled: false
 Query: |
-  SELECT 
+  SELECT
     *
   FROM panther_logs.public.crowdstrike_fdrevent
-  WHERE 
+  WHERE
     fdr_event_type = 'ProcessRollup2' AND
     event:CommandLine LIKE ANY (
       '%/Users/%/Library/Application Support/Google/Chrome/Default/Login Data%',

queries/crowdstrike_queries/onepass_login_from_crowdstrike_unmanaged_device_query.yml

@@ -2,15 +2,15 @@ AnalysisType: scheduled_query
 Description: Looks for OnePassword Logins from IP Addresses that aren''t seen in CrowdStrike''s AIP List.
 Enabled: false
 Query: |
-  SELECT * 
+  SELECT *
   FROM panther_logs.public.onepassword_signinattempt
   WHERE category = 'success'
     AND client:ip_address LIKE '%.%.%.%'
     AND p_occurs_since('1 hour')
     AND client:platform_name NOT LIKE '%iPhone'
     AND type = 'credentials_ok'
     AND client:app_name != '1Password SCIM Bridge'
-    AND client:ip_address NOT IN 
+    AND client:ip_address NOT IN
       (
           SELECT distinct aip
           FROM panther_logs.public.crowdstrike_aidmaster

queries/kubernetes_queries/kubernetes_cron_job_created_or_modified_query.yml

@@ -15,7 +15,7 @@ Query: >
   verb IN ('create', 'update', 'patch')
   AND objectRef:resource = 'cronjobs'
   AND p_occurs_since('30 minutes')
-  --insert allow-list for expected cronjobs in a cluster, for example a sync service 
+  --insert allow-list for expected cronjobs in a cluster, for example a sync service
   LIMIT 100
 Schedule:
   RateMinutes: 30

queries/kubernetes_queries/kubernetes_ioc_activity.yml

@@ -3,7 +3,7 @@ Filename: scheduled_rule_default_k8s.py
 RuleID: "Kubernetes.IOCActivity"
 DisplayName: "IOC Activity in K8 Control Plane"
 Description: >
-  This detection monitors for any kuberentes API Request originating from an Indicator of Compromise.
+  This detection monitors for any kubernetes API Request originating from an Indicator of Compromise.
 Enabled: false
 Runbook: >
   .

queries/kubernetes_queries/kubernetes_ioc_activity_query.yml

@@ -4,7 +4,7 @@ Enabled: false
 Tags:
   - Optional
 Description: >
-  This detection monitors for any kuberentes API Request originating from an Indicator of Compromise.
+  This detection monitors for any kubernetes API Request originating from an Indicator of Compromise.
 Query: >
   SELECT *,
          VALUE as SRC_IP,
@@ -17,7 +17,7 @@ Query: >
   FROM panther_logs.public.amazon_eks_audit, lateral flatten(source_ips)
   WHERE p_occurs_since('30 minutes')
    -- as an example, could be replaced with any IOC data store in a lookup table
-  INNER JOIN panther_lookups.public.tor_exit_nodes 
+  INNER JOIN panther_lookups.public.tor_exit_nodes
   ON value = ip
   LIMIT 10
 Schedule:

queries/kubernetes_queries/kubernetes_pod_create_or_modify_host_path_vol_mount_query.yml

@@ -14,7 +14,7 @@ Query: >
   WHERE
   verb IN ('create', 'update', 'patch')
   AND objectRef:resource = 'pods'
-  AND requestObject:spec:volumes[0]:hostPath:path ilike ANY ('/var/run/docker.sock','/var/run/crio/crio.sock','/var/lib/kubelet','/var/lib/kubelet/pki','/var/lib/docker/overlay2','/etc/kubernetes','/etc/kubernetes/manifests','/etc/kubernetes/pki','/home/admin')                  
+  AND requestObject:spec:volumes[0]:hostPath:path ilike ANY ('/var/run/docker.sock','/var/run/crio/crio.sock','/var/lib/kubelet','/var/lib/kubelet/pki','/var/lib/docker/overlay2','/etc/kubernetes','/etc/kubernetes/manifests','/etc/kubernetes/pki','/home/admin')
   AND p_occurs_since('30 minutes')
   --insert allow-list for expected workloads that require a sensitive mount
   LIMIT 10

queries/kubernetes_queries/kubernetes_service_type_node_port_deployed_query.yml

@@ -9,17 +9,17 @@ Query: >
   SELECT *,
          objectRef:name as service,
          objectRef:namespace as namespace,
-         objectRef:resource as resource_type,                        
+         objectRef:resource as resource_type,
          COALESCE(impersonated_user, USER:username) as src_user,
          userAgent,
          responseObject:spec:externalTrafficPolicy as external_traffic_policy,
          responseObject:spec:internalTrafficPolicy as internal_traffic_policy,
          responseObject:spec:clusterIP as cluster_ip_address,
-         VALUE:port as port, --port where traffic gets forwarded to in the pod 
+         VALUE:port as port, --port where traffic gets forwarded to in the pod
          VALUE:protocol as protocol, --protocol the service uses
-         VALUE:nodePort as node_port, --which port acts as the nodeport on all the nodes 
+         VALUE:nodePort as node_port, --which port acts as the nodeport on all the nodes
          requestObject:spec:type as type,
-         IFF(requestObject:spec:status:loadBalancer is null, 'No LB Present', 
+         IFF(requestObject:spec:status:loadBalancer is null, 'No LB Present',
          requestObject:spec:status:loadBalancer) as load_balancer,
          responseStatus:code as response_status
          FROM panther_logs.public.kubernetes_control_plane, lateral flatten(response_object:spec:ports)