Merge branch 'develop' into threat-391-issue-templates

.github/workflows/check-deprecated.yml

@@ -12,7 +12,7 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
+      - uses: step-security/harden-runner@c95a14d0e5bab51a9f56296a4eb0e416910cd350 # v2.10.3
         with:
           disable-sudo: true
           egress-policy: block

.github/workflows/check-mitre.yml

@@ -10,7 +10,7 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
+      - uses: step-security/harden-runner@c95a14d0e5bab51a9f56296a4eb0e416910cd350 # v2.10.3
         with:
           disable-sudo: true
           egress-policy: block

.github/workflows/check-packs.yml

@@ -14,7 +14,7 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
+      - uses: step-security/harden-runner@c95a14d0e5bab51a9f56296a4eb0e416910cd350 # v2.10.3
         with:
           disable-sudo: true
           egress-policy: block

.github/workflows/docker.yml

@@ -11,7 +11,7 @@ jobs:
     name: Build Dockerfile
     runs-on: ubuntu-latest
     steps:
-      - uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
+      - uses: step-security/harden-runner@c95a14d0e5bab51a9f56296a4eb0e416910cd350 # v2.10.3
         with:
           disable-sudo: true
           egress-policy: block
@@ -28,7 +28,7 @@ jobs:
             www.python.org:443
       - name: Checkout panther-analysis
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2
-      - uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf #v3.2.0
+      - uses: docker/setup-qemu-action@53851d14592bedcffcf25ea515637cff71ef929a #v3.3.0
       - name: Set up Docker Buildx
         id: buildx
         uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 #v3.8.0

.github/workflows/lint.yml

@@ -10,7 +10,7 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
+      - uses: step-security/harden-runner@c95a14d0e5bab51a9f56296a4eb0e416910cd350 # v2.10.3
         with:
           disable-sudo: true
           egress-policy: block

.github/workflows/pre-release-upload.yml

@@ -14,7 +14,7 @@ jobs:
       API_HOST: ${{ secrets.GA_API_HOST }}
       API_TOKEN: ${{ secrets.GA_API_TOKEN }}
     steps:
-      - uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
+      - uses: step-security/harden-runner@c95a14d0e5bab51a9f56296a4eb0e416910cd350 # v2.10.3
         with:
           egress-policy: audit
 

.github/workflows/release.yml

@@ -15,7 +15,7 @@ jobs:
     env:
       GITHUB_TOKEN: ${{ secrets.PANTHER_BOT_AUTOMATION_TOKEN }}
     steps:
-      - uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
+      - uses: step-security/harden-runner@c95a14d0e5bab51a9f56296a4eb0e416910cd350 # v2.10.3
         with:
           egress-policy: audit
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2

.github/workflows/test.yml

@@ -10,7 +10,7 @@ jobs:
     name: Test
     runs-on: ubuntu-latest
     steps:
-      - uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
+      - uses: step-security/harden-runner@c95a14d0e5bab51a9f56296a4eb0e416910cd350 # v2.10.3
         with:
           disable-sudo: true
           egress-policy: audit
@@ -41,7 +41,7 @@ jobs:
       API_HOST: ${{ secrets.API_HOST }}
       API_TOKEN: ${{ secrets.API_TOKEN }}
     steps:
-      - uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
+      - uses: step-security/harden-runner@c95a14d0e5bab51a9f56296a4eb0e416910cd350 # v2.10.3
         with:
           disable-sudo: true
           egress-policy: audit

.github/workflows/upload.yml

@@ -14,7 +14,7 @@ jobs:
       API_HOST: ${{ secrets.API_HOST }}
       API_TOKEN: ${{ secrets.API_TOKEN }}
     steps:
-      - uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
+      - uses: step-security/harden-runner@c95a14d0e5bab51a9f56296a4eb0e416910cd350 # v2.10.3
         with:
           egress-policy: audit
 

.github/workflows/validate.yml

@@ -14,7 +14,7 @@ jobs:
       API_HOST: ${{ secrets.API_HOST }}
       API_TOKEN: ${{ secrets.API_TOKEN }}
     steps:
-      - uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
+      - uses: step-security/harden-runner@c95a14d0e5bab51a9f56296a4eb0e416910cd350 # v2.10.3
         with:
           egress-policy: audit
       - name: Validate Secrets

global_helpers/global_helpers_test.py

@@ -2429,7 +2429,7 @@ def test_pantherflow_investigation(self):
         event = ImmutableCaseInsensitiveDict(event)
         query = """union panther_signals.public.correlation_signals
     , panther_logs.public.aws_cloudtrail
-| where p_event_time between datetime('2024-11-25 15:00:21.000000') - time.parse_timespan('30m') .. datetime('2024-11-25 15:00:21.000000') + time.parse_timespan('30m')
+| where p_event_time between time.parse_timestamp('2024-11-25 15:00:21.000000') - time.parse_timespan('30m') .. time.parse_timestamp('2024-11-25 15:00:21.000000') + time.parse_timespan('30m')
 | where arrays.overlap(p_any_ip_addresses, ['12.34.56.78'])
      or arrays.overlap(p_any_trace_ids, ['ASIAQWERTYUIOPASDFGH'])
      or arrays.overlap(p_any_actor_ids, ['AROAQWERTYUIOPASDFGH', 'AROAQWERTYUIOPASDFGH:bob.ross'])

global_helpers/panther_base_helpers.py

@@ -9,6 +9,7 @@
 from ipaddress import ip_address, ip_network
 from typing import Any, List, Optional, Sequence, Union
 
+import panther_base_helpers_old
 from dateutil import parser
 
 # # # # # # # # # # # # # #
@@ -352,3 +353,139 @@ def pantherflow_investigation(event, interval="30m"):
     query += "| sort p_event_time"
 
     return query
+
+
+# panther_base_helpers.GSUITE_PARAMETER_VALUES is DEPRECATED!!!
+# Instead use panther_gsuite_helpers.GSUITE_PARAMETER_VALUES
+GSUITE_PARAMETER_VALUES = panther_base_helpers_old.GSUITE_PARAMETER_VALUES
+
+
+def gsuite_parameter_lookup(parameters, key):
+    """Global `gsuite_parameter_lookup` is DEPRECATED.
+    Instead, use `from panther_gsuite_helpers import gsuite_parameter_lookup`."""
+    return panther_base_helpers_old.gsuite_parameter_lookup(parameters, key)
+
+
+def gsuite_details_lookup(detail_type, detail_names, event):
+    """Global `gsuite_details_lookup` is DEPRECATED.
+    Instead, use `from panther_gsuite_helpers import gsuite_details_lookup`."""
+    return panther_base_helpers_old.gsuite_details_lookup(detail_type, detail_names, event)
+
+
+# panther_base_helpers.ZENDESK_CHANGE_DESCRIPTION is DEPRECATED!!!
+# Instead use panther_zendesk_helpers.ZENDESK_CHANGE_DESCRIPTION
+ZENDESK_CHANGE_DESCRIPTION = panther_base_helpers_old.ZENDESK_CHANGE_DESCRIPTION
+# panther_base_helpers.ZENDESK_APP_ROLE_ASSIGNED is DEPRECATED!!!
+# Instead use panther_zendesk_helpers.ZENDESK_APP_ROLE_ASSIGNED
+ZENDESK_APP_ROLE_ASSIGNED = panther_base_helpers_old.ZENDESK_APP_ROLE_ASSIGNED
+# panther_base_helpers.ZENDESK_ROLE_ASSIGNED is DEPRECATED!!!
+# Instead use panther_zendesk_helpers.ZENDESK_ROLE_ASSIGNED
+ZENDESK_ROLE_ASSIGNED = panther_base_helpers_old.ZENDESK_ROLE_ASSIGNED
+
+
+def zendesk_get_roles(event):
+    """Global `zendesk_get_roles` is DEPRECATED.
+    Instead, use `from panther_zendesk_helpers import zendesk_get_roles`."""
+    return panther_base_helpers_old.zendesk_get_roles(event)
+
+
+def box_parse_additional_details(event: dict):
+    """Global `box_parse_additional_details` is DEPRECATED.
+    Instead, use `from panther_box_helpers import box_parse_additional_details`."""
+    return panther_base_helpers_old.box_parse_additional_details(event)
+
+
+def okta_alert_context(event: dict):
+    """Global `okta_alert_context` is DEPRECATED.
+    Instead, use `from panther_okta_helpers import okta_alert_context`."""
+    return panther_base_helpers_old.okta_alert_context(event)
+
+
+def crowdstrike_detection_alert_context(event: dict):
+    """Global `crowdstrike_detection_alert_context` is DEPRECATED.
+    Instead, use `from panther_crowdstrike_fdr_helpers import crowdstrike_detection_alert_context`.
+    """
+    return panther_base_helpers_old.crowdstrike_detection_alert_context(event)
+
+
+def crowdstrike_process_alert_context(event: dict):
+    """Global `crowdstrike_process_alert_context` is DEPRECATED.
+    Instead, use `from panther_crowdstrike_fdr_helpers import crowdstrike_process_alert_context`.
+    """
+    return panther_base_helpers_old.crowdstrike_process_alert_context(event)
+
+
+def crowdstrike_network_detection_alert_context(event: dict):
+    """Global `crowdstrike_network_detection_alert_context` is DEPRECATED.
+    Instead, use `from panther_crowdstrike_fdr_helpers
+    import crowdstrike_network_detection_alert_context`.
+    """
+    return panther_base_helpers_old.crowdstrike_network_detection_alert_context(event)
+
+
+def filter_crowdstrike_fdr_event_type(event, name: str) -> bool:
+    """Global `filter_crowdstrike_fdr_event_type` is DEPRECATED.
+    Instead, use `from panther_crowdstrike_fdr_helpers import filter_crowdstrike_fdr_event_type`.
+    """
+    return panther_base_helpers_old.filter_crowdstrike_fdr_event_type(event, name)
+
+
+def get_crowdstrike_field(event, field_name, default=None):
+    """Global `get_crowdstrike_field` is DEPRECATED.
+    Instead, use `from panther_crowdstrike_fdr_helpers import get_crowdstrike_field`.
+    """
+    return panther_base_helpers_old.get_crowdstrike_field(event, field_name, default)
+
+
+def slack_alert_context(event):
+    """Global `slack_alert_context` is DEPRECATED.
+    Instead, use `from panther_slack_helpers import slack_alert_context`."""
+    return panther_base_helpers_old.slack_alert_context(event)
+
+
+def github_alert_context(event):
+    """Global `github_alert_context` is DEPRECATED.
+    Instead, use `from panther_github_helpers import github_alert_context`."""
+    return panther_base_helpers_old.github_alert_context(event)
+
+
+def aws_strip_role_session_id(user_identity_arn):
+    """Global `aws_strip_role_session_id` is DEPRECATED.
+    Instead, use `from panther_aws_helpers import aws_strip_role_session_id`."""
+    return panther_base_helpers_old.aws_strip_role_session_id(user_identity_arn)
+
+
+def aws_rule_context(event: dict):
+    """Global `aws_rule_context` is DEPRECATED.
+    Instead, use `from panther_aws_helpers import aws_rule_context`."""
+    return panther_base_helpers_old.aws_rule_context(event)
+
+
+def aws_guardduty_context(event: dict):
+    """Global `aws_guardduty_context` is DEPRECATED.
+    Instead, use `from panther_aws_helpers import aws_guardduty_context`."""
+    return panther_base_helpers_old.aws_guardduty_context(event)
+
+
+def eks_panther_obj_ref(event):
+    """Global `eks_panther_obj_ref` is DEPRECATED.
+    Instead, use `from panther_aws_helpers import eks_panther_obj_ref`."""
+    return panther_base_helpers_old.eks_panther_obj_ref(event)
+
+
+def get_binding_deltas(event):
+    """Global `get_binding_deltas` is DEPRECATED.
+    Instead, use `from panther_gcp_helpers import get_binding_deltas`."""
+    return panther_base_helpers_old.get_binding_deltas(event)
+
+
+def msft_graph_alert_context(event):
+    """Global `msft_graph_alert_context` is DEPRECATED.
+    Instead, use `from panther_msft_helpers import msft_graph_alert_context`."""
+    return panther_base_helpers_old.msft_graph_alert_context(event)
+
+
+def m365_alert_context(event):
+    """Global `m365_alert_context` is DEPRECATED.
+    Instead, use `from panther_msft_helpers import m365_alert_context`."""
+    return panther_base_helpers_old.m365_alert_context(event)