Merge branch 'develop' into geoffg-sentry/github.repo.rulesetmodified

panther-labs · Jan 9, 2025 · 12d4308 · 12d4308
2 parents 93e373b + 14a1a32
commit 12d4308
Show file tree

Hide file tree

Showing 5 changed files with 331 additions and 257 deletions.
diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
@@ -31,7 +31,7 @@ jobs:
       - uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf #v3.2.0
       - name: Set up Docker Buildx
         id: buildx
-        uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 #v3.7.1
+        uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 #v3.8.0
       - name: Build Image
         run: docker buildx build --load -f Dockerfile -t panther-analysis:latest .
       - name: Test Image

diff --git a/.scripts/deleted_rules.py b/.scripts/deleted_rules.py
@@ -10,7 +10,7 @@
 import panther_analysis_tool.command.bulk_delete as pat_delete
 import panther_analysis_tool.util as pat_util
 
-diff_pattern = re.compile(r'^-(?:RuleID|PolicyID|QueryName):\s*"?([\w.]+)"?')
+diff_pattern = re.compile(r'^-(?:RuleID|PolicyID|QueryName):\s*"?(.+?)["\n]')
 
 
 def get_deleted_ids() -> set[str]:

diff --git a/global_helpers/panther_base_helpers.py b/global_helpers/panther_base_helpers.py
@@ -338,7 +338,7 @@ def pantherflow_investigation(event, interval="30m"):
 
     query = f"""union panther_signals.public.correlation_signals
     , panther_logs.public.{logtype}
-| where p_event_time between datetime('{timestamp}') - time.parse_timespan('{interval}') .. datetime('{timestamp}') + time.parse_timespan('{interval}')
+| where p_event_time between time.parse_timestamp('{timestamp}') - time.parse_timespan('{interval}') .. time.parse_timestamp('{timestamp}') + time.parse_timespan('{interval}')
 """
 
     first = True

diff --git a/rules/okta_rules/okta_new_behavior_accessing_admin_console.py b/rules/okta_rules/okta_new_behavior_accessing_admin_console.py
@@ -1,3 +1,6 @@
+import json
+
+from panther_base_helpers import deep_get
 from panther_okta_helpers import okta_alert_context
 
 
@@ -12,15 +15,12 @@ def rule(event):
     if behaviors:
         return "New Device=POSITIVE" in behaviors and "New IP=POSITIVE" in behaviors
 
+    log_only_security_data = event.deep_get("debugContext", "debugData", "logOnlySecurityData")
+    if isinstance(log_only_security_data, str):
+        log_only_security_data = json.loads(log_only_security_data)
     return (
-        event.deep_get(
-            "debugContext", "debugData", "logOnlySecurityData", "behaviors", "New Device"
-        )
-        == "POSITIVE"
-        and event.deep_get(
-            "debugContext", "debugData", "logOnlySecurityData", "behaviors", "New IP"
-        )
-        == "POSITIVE"
+        deep_get(log_only_security_data, "behaviors", "New Device") == "POSITIVE"
+        and deep_get(log_only_security_data, "behaviors", "New IP") == "POSITIVE"
     )