search

panther-labs / panther-analysis

Built-in Panther detection rules and policies
https://panther.com/
Apache License 2.0
339 stars 173 forks source link

ThinkstCanary Rules #1391

Closed arielkr256 closed 1 month ago

arielkr256 commented 1 month ago

Background

Includes alert passthrough and agent disconnected rules, helper function, and pack for ThinkstCanary log source.

Changes

Testing

github-actions[bot] commented 1 month ago

:scream: looks like some things could be wrong with the packs

github-actions[bot] commented 1 month ago

:scream: looks like some things could be wrong with the packs

geoffg-sentry commented 3 weeks ago

Update: Panther has since reverted to the 3.66.0 release given this error. Guidance below should no longer be necessary.

FYI, using PAT v.0.53.0 and the ThinksCanary rule/pack broke our panther_workflow. PAT can't find the schema for ThinkstCanary.Alert as it's an invalid LogType as defined in the rule YML and fails to upload everything from a run. 

Error: [root]: Failed to upload to Panther: 
-----
Path: thinkst_canary_dcrc.yml
Error: rule has an invalid log type: ThinkstCanary.Alert
-----
Path: thinkst_canarytoken_incident.yml
Error: rule has an invalid log type: ThinkstCanary.Alert
-----
Path: thinkst_canary_incident.yml
Error: rule has an invalid log type: ThinkstCanary.Alert
-----

Upload failed
Error: Process completed with exit code 1.

Hope this helps someone else. Temporarily remove all the thinkscanary rules and pack after upgrading to 3.67.0 and you can get back to normal.