Resync to upstream panther-analysis (panther-labs#16)

* Snowflake Query Updates p2 (panther-labs#718) * Snowflake Query Updates p2 * fixing select on admin assigned query * fixing tabs to spaces * Query Fix: Making sure queries use fqtn (panther-labs#719) * query fix: fqtn (panther-labs#720) * gcp bigquery detections (panther-labs#716) * gcp bigquery large query detection * gcp destructive query detection * gcp logging settings modified detection * gcp cloud storage buckets modified or deleted (panther-labs#721) * gcp cloud storage modified or deleted * Double quote names and IDs the way that bulk download does (panther-labs#724) * Added force ttl check option to kv-table functions (panther-labs#725) * added force ttl check functionality to kv-table functions * linting & formatting * pr comment * add ttl column to get requests where missing * Snowflake queries minor fixes (panther-labs#728) * feat: Snyk detections for OU changes and external access changes (panther-labs#729) Co-authored-by: calkim-panther <113376708+calkim-panther@users.noreply.github.com> * Updated Atlassian impersonation detection displayname (panther-labs#730) Co-authored-by: Ed⁦ <ed.anderson@panther.io> * Adding Panther.Audit to the Greynoise LUTs (panther-labs#732) * Adding Panther.Audit to the Greynoise LUTs --------- Co-authored-by: Nicholas Kuligoski <nkulig@US-K272KJ4452.localdomain> Co-authored-by: Ed⁦ <ed.anderson@panther.io> * Feat/edyesed/snyk roles and svcaccts (panther-labs#731) * feat: snyk rules that look for service accounts * feat: Snyk rules for role changes * New Snowflake Queries (panther-labs#733) * New Snowflake Queries * enriching test cases and alert titles to add context * fix: default val in title * Update queries/snowflake_queries/snowflake_multiple_failed_logins_followed_by_success.yml Co-authored-by: Ed⁦ <ed.anderson@panther.io> * Update queries/snowflake_queries/snowflake_multiple_failed_logins_followed_by_success.yml Co-authored-by: Ed⁦ <ed.anderson@panther.io> --------- Co-authored-by: Ed⁦ <ed.anderson@panther.io> * fix: AWS ELBs now have TLS 1.3 SSL Policies (panther-labs#734) * feat: Allow ELBs using the AWS TLSv1.3 SSL Policies to pass compliance tests * Calkim dropbox (panther-labs#736) * dropbox 2fa disabled * dropbox ownership transfer * dropbox external shares * sign in as session detection * dropbox many downloads many deletes * Snowflake Scheduled Queries (panther-labs#737) * Snowflake Scheduled Queries (panther-labs#737) * updated pat dependency (panther-labs#738) * Slack: User's role changed to User (panther-labs#693) * Slack: Adding new rule to the Slack packs. - Adding Slack.AuditLogs.UserPrivilegeChangedToUser to the pack. * Slack: New rule detecting when a Slack user's role changes to User. - A Slack user could have a role such as Owner or Admin or another type of role that Slack offers. This rule detects whether an account is moved from a non-user role and given the User role. Unfortunently Slack's audit logs do not offer 1) an endpoint like role_change_from... 2) the role that the account previously held, such as the Owner or Admin role. * Slack: Fixed username's default value * Slack: Change severity to High if not role_changed_to_user - Severity is high as the test changes the role to admin. - This case should be caught by other detections. * Slack: Severity is defined in the yml file. * fix formatting * Update rules/slack_rules/slack_privilege_changed_to_user.py Thanks! Tested this and got the same results. Not sure why I made this more complicated than it needed to be :( Co-authored-by: Ed⁦ <ed.anderson@panther.io> * Update slack_privilege_changed_to_user.py * Adding a more realistic fake IP address --------- Co-authored-by: Ed⁦ <ed.anderson@panther.io> * chore: update github asana action (panther-labs#740) * fix: add Zeek ip addresses to LUTs (panther-labs#739) * feat: More Snyk Detections (panther-labs#741) * feat: more snyk detections, and extension of the snyk pack --------- Co-authored-by: andrea-youwakim <117778222+andrea-youwakim@users.noreply.github.com> * gcp detections (panther-labs#727) * gcp permissions granted to create or manage service account keys * GCP IAP protected service user added * GCP service account or key created * Crowdstrike embargoed (panther-labs#743) * crowdstrike embargoed countries * added crowdstrike data model * cs network connection alert context * crowdstrike parent child process detection (panther-labs#742) crowdstrike system log tampering crowdstrike credential dumping tool crypto mining detection * crowdstrike detections pt2 (panther-labs#744) * crowdstrike remote access tool execution * remove asana github action * crowdstrike reverse shell tool * wmic query detection * missing event in deep_get (panther-labs#746) * Salesforce loginas detection: Alerts when an admin logs in as another user (panther-labs#747) * New Salesforce Detection: Alerts when an admin logs in as another user * linting and fmt * lint * display name fix * Crowdstrike FDR (panther-labs#745) * Additional crowdstrike detections * Crowdstrike FDR UDM * updated udm * added get_process_name * test cases and tuning * minor updates to yml * initial aws dns data model * initial data model * added defang function * corrected method * new rules * linting * removing connection to malicious site * remove suspicious downloads * added process context * linting * small fix * moved to standard directory * linting * updated base64 regex * update logic and title * updated title * linting * Safely handle a potential KeyError inside zoom operation passcode disabled (panther-labs#749) * Safely handle zoom non-update events * chore: downgrades log4j alert severity (panther-labs#751) * chore: there was a little copy-pasta in the global filter yaml file for snyk (panther-labs#752) * Adding global helpers for Auth0 (panther-labs#753) * Adding global helpers for Auth0 * fixing lint * adding test cases in global_helpers * linting- user-agent val too long, removed it from test since it isn't part of any checks * scrubbing event data * feat: Tines.Audit detections and pack (panther-labs#754) * A detection for Tines SSO settings changing and a pack to contain it * feat: Tines detections for API Tokens and CustomCA (panther-labs#755) * bump PAT version to 0.22.1 (panther-labs#756) * removing detections as code owners (panther-labs#757) Co-authored-by: Max Richmond <maxrichmond@panther.com> * New: Auth0 Detections and Pack (panther-labs#758) * New: Auth0 Detections and Pack * json indexing fix * classic fmt * minor changes, log sanitization * chore: add a clickable link to snyk alert_context to identify users (panther-labs#760) * chore: add a clickable link to snyk alert_context to identify users * add fdr detections to pack (panther-labs#748) * Adding credential security pack (panther-labs#761) * Adding credential security pack * Update credential_security.yml * Alphabetize rules Co-authored-by: Ed⁦ <ed.anderson@panther.io> * removed disabled detections --------- Co-authored-by: Ed⁦ <ed.anderson@panther.io> * chore: update panther_analysis_tool (panther-labs#762) * fix: panther_oss_helpers.set_key_expiration should make an effort to turn epoch_seconds kwarg into an int (panther-labs#764) * fix: panther_oss_helpers.set_key_expiration should make an effort to turn epoch_seconds kwarg into an int * fix: get unit testing and mocks in place for panther_oss_helper functions * fix: some cache ttls were getting stringified, which leads to dynamodb silently not expiring them (panther-labs#763) * feat: a generic approach to impossible travel for login style events (panther-labs#766) * fix: When Snyk users are added via SAML, the userId on the audit log entry is the same as the userid of the added user (panther-labs#768) * fix: When Snyk users are added via SAML, the userId on the record is the same as the userId of the user being added * feat: extend the Standard.ImpossibleTravel.Login detection to include Okta.SystemLog logtype (panther-labs#770) * fix: Tune cloudflare bot alert up to 2req/sec. Disable some cloudflare blocked alerts due to cloudflare having blocked the request (panther-labs#769) * fix: Tune cloudflare bot alert up to 2req/sec. Disable some cloudflare blocked alerts due to cloudflare having blocked the requests * chore: tweak the request volume for cloudflare + bots + greynoise * gcp_alert_context (panther-labs#765) * removing dupe cloudflare test case (panther-labs#773) * Notion Global Helpers and Filters (panther-labs#772) * Notion Global Helpers and Filters * fmt and lint * Update global_filter_notion.py * Improve Greynoise and IPInfo Helpers (panther-labs#759) * improve greynoise helpers add unit tests * checkpoint * more tests, update ipinfo * fix linter complaints * fix linter complaints * fix linter complaints * fix linter complaints * fix linter complaints * fix linter complaints * fix linter complaints * fix linter complaints * respond to PR * respond to PR * update min/max code per @debugmiller suggestion * add crowdstrike data model to pack (panther-labs#775) * New: Notion Detections, Pack, Pat Version Upgrade (panther-labs#774) * New: Notion Detections, Pack, Pat Version Upgrade * update pipfile --------- Co-authored-by: Calvin Kim <calvin.kim@panther.com> * Fix: snyk SAMl IdP initiated user-adds are attributed to the user being added (panther-labs#771) * fix: When Snyk users are added via SAML, the userId on the record is the same as the userId of the user being added * feat: a make target that will configure VSCode in some helpful ways (panther-labs#776) * feat: make vscode-config in order to configure your vscode to work in this repo * chore: add units to alert_context on standard impossible travel (panther-labs#777) * chore: it is helpful for responders to know the units in the ImpossibleTravel computation and hints about how to report geolocation inaccuracies * deprecate dynamo encryption policy (panther-labs#778) * fix: Standard.ImpossibleTravel.Login should not alert on VPN or ApplePrivateRelay (panther-labs#780) * fix: Standard.ImpossibleTravel.Login should not alert on VPN or ApplePrivateRelay * Add detections for GCP DNS zone operations (panther-labs#779) * Rules: Tines Actions Disabled Change (panther-labs#781) * Rules: Adding Tines rule for Actions Disabled Changes. - Detects if the operation_name is ActonsDisabledChange. --------- Co-authored-by: calkim-panther <113376708+calkim-panther@users.noreply.github.com> Co-authored-by: Ed⁦ <ed.anderson@panther.io> * fix: impossible travel short distances tweak (panther-labs#783) * fix: add some jitter for likely geoip based inaccuracies * fix: formatting wanted to reorder imports on gcp_dns_zone_modified_or_deleted * add: github rule add org moderator (panther-labs#782) * add: github rule add org moderator * remove dynamo encryption policy from pack (panther-labs#784) * Create detection for GCP firewall rule modifications (panther-labs#785) * Create detection for GCP firewall rule modifications * Address PR comments * fmt * tune embargo country detection to low (panther-labs#790) * fix: tines_actions_disabled should use the global filter (panther-labs#792) * feat: Notion audit log exported detection (panther-labs#793) * feat: Notion audit log exported detection * add: github org moderators add rule to pack (panther-labs#797) * Alias column names with invalid characters (panther-labs#802) * add: notion rule many pages deleted (panther-labs#795) * add: notion rule many pages deleted * nit: tabs * fix: test fixture * refactor: add to pack & severity --------- Co-authored-by: andrea-youwakim <117778222+andrea-youwakim@users.noreply.github.com> * Add detection for GCP firewall rule creations (panther-labs#791) * Add detection for GCP firewall rule deletions (panther-labs#794) * Add detections for GCP logging bucket or sink deletions (panther-labs#798) Co-authored-by: calkim-panther <113376708+calkim-panther@users.noreply.github.com> * Add detections for GCP logging sink modifications (panther-labs#799) * Add detection for denied GCP service account access (panther-labs#801) Co-authored-by: calkim-panther <113376708+calkim-panther@users.noreply.github.com> * Allow for any API version for certain GCP detections (panther-labs#803) * add: notion rule scim token generated (panther-labs#796) * add: notion rule scim token generated * fmt * refactor: add to pack & severity * add: title * feedback * add token id * fmt * lint * Update rules/notion_rules/notion_scim_token_generated.py Co-authored-by: andrea-youwakim <117778222+andrea-youwakim@users.noreply.github.com> * fmt * fixing dot notation attempt in deep_get --------- Co-authored-by: andrea-youwakim <117778222+andrea-youwakim@users.noreply.github.com> Co-authored-by: andrea-youwakim <andrea.youwakim@panther.io> * Rule: Notion public homepage added (panther-labs#806) * Rule: New Notio rule for workspace public page added. * Rule: Updated the RuleID * Rule: Fixed the Log sample for the tests and added a failure case. - The Public page added test included event which caused the notion_alert_context to fail. Removing event from the log resolves this problem. - Removed the deep_get for event as well. - Added a failiure case, Workspace Exported. * formatting * Rule: Added rule ID to Notion pack and resolved review comments. - Added square brackets around interpolated values. - Removed tags from the yml file. * putting the square brackets in the right place --------- Co-authored-by: andrea-youwakim <117778222+andrea-youwakim@users.noreply.github.com> * Update README (panther-labs#808) The initial setup verification isn't quite right. * fix: restore the has_exit_nodes() method to TorExitNodes class (panther-labs#810) Co-authored-by: andrea-youwakim <117778222+andrea-youwakim@users.noreply.github.com> * Tines Rule - Global Resource Destruction (panther-labs#786) * Tines Rule - Global Resource Destruction --------- Co-authored-by: andrea-youwakim <117778222+andrea-youwakim@users.noreply.github.com> * feat: Add detection for Notion SAML SSO configuration change (panther-labs#805) * Added rule: Auth0 User Joined Tenant (panther-labs#807) Co-authored-by: andrea-youwakim <117778222+andrea-youwakim@users.noreply.github.com> * auth0 mfa enabled detection (panther-labs#811) * auth0 mfa enabled detection --------- Co-authored-by: Nick Koukounakis <nick.koukounakis@panther.com> * feat: new auth0_integration_installed detection (panther-labs#815) * feat: new auth0_integration_installed detection --------- Co-authored-by: George Simos <george.simos@panther.com> * Add detection for user invitations to tenants and organizations (panther-labs#816) * add Crowdstrike.Macos.Add.Trusted.Cert (panther-labs#820) * fix: lookuptables base class needs to be in the pack.yml for all artifacts that leverage it (panther-labs#821) * fix: lookuptables base class needs to be in the pack.yml for all artifacts that leverage the lookuptables base class * fix: aws pack included a greynoise importing rule --------- Co-authored-by: calkim-panther <113376708+calkim-panther@users.noreply.github.com> * fix: cloudflare pack also needed panther_base_helpers for deep_get (panther-labs#822) * [sync-from-upstream] Add git_config_pull_rebase: false --------- Co-authored-by: andrea-youwakim <117778222+andrea-youwakim@users.noreply.github.com> Co-authored-by: calkim-panther <113376708+calkim-panther@users.noreply.github.com> Co-authored-by: Dana Katzenelson <dekatzenel@gmail.com> Co-authored-by: Nick Hakmiller <49166439+nhakmiller@users.noreply.github.com> Co-authored-by: Ed⁦ <ed.anderson@panther.io> Co-authored-by: mbellifa <mohammed.bellifa@gmail.com> Co-authored-by: nkulig <88459023+nkulig@users.noreply.github.com> Co-authored-by: Nicholas Kuligoski <nkulig@US-K272KJ4452.localdomain> Co-authored-by: Andrew Miotke <8988647+miotke@users.noreply.github.com> Co-authored-by: Lucy Suddenly <43256356+LucySuddenly@users.noreply.github.com> Co-authored-by: Panos Sakkos <panos.sakkos@panther.com> Co-authored-by: jzandona <79932094+jzandona@users.noreply.github.com> Co-authored-by: allanbreyes <allanbreyes@users.noreply.github.com> Co-authored-by: darwayne <darwaynelynch@gmail.com> Co-authored-by: Max Richmond <46904505+maxrichie5@users.noreply.github.com> Co-authored-by: Max Richmond <maxrichmond@panther.com> Co-authored-by: Russell Leighton <russell.leighton@runpanther.io> Co-authored-by: Calvin Kim <calvin.kim@panther.com> Co-authored-by: Evan Gibler <evan.gibler@panther.com> Co-authored-by: andrea-youwakim <andrea.youwakim@panther.io> Co-authored-by: Jim Kalafut <jim.kalafut@panther.com> Co-authored-by: Josh Esbrook <101294262+josh-panther@users.noreply.github.com> Co-authored-by: Nick Koukounakis <nick.koukounakis@runpanther.io> Co-authored-by: George Simos <admin@georgesimos.com>
risto-liftoff · Jun 22, 2023 · 3a5862b · 3a5862b
1 parent e337eb7
commit 3a5862b
Show file tree

Hide file tree

Showing 210 changed files with 15,448 additions and 742 deletions.
diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
@@ -3,4 +3,4 @@
 
 # These owners will be the default owners for everything in the repo.
 
-*       @panther-labs/detections @panther-labs/security
+*       @panther-labs/security
diff --git a/.github/workflows/asana.yml b/.github/workflows/asana.yml
diff --git a/.github/workflows/sync-from-upstream.yml b/.github/workflows/sync-from-upstream.yml
@@ -1,5 +1,8 @@
 name: sync-panther-analysis-from-upstream
 
+inputs:
+  git_config_pull_rebase: false
+
 on:
   schedule:
     # 15:00Z, every Tuesday
@@ -104,4 +107,4 @@ jobs:
         run: |
           echo "unhandled exception in PR create step. Check output of that step."
           exit 128
-      
+      
diff --git a/.vscode/example_settings.json b/.vscode/example_settings.json
@@ -1,15 +1,20 @@
 {
-    //"makefile.extensionOutputFolder": "./.vscode",
+    "python.defaultInterpreterPath": "XXX_pipenv_py_output_XXX",
+    "yaml.schemas": {
+        "https://panther-community-us-east-1.s3.amazonaws.com/latest/logschema/schema.json": [ "schemas/*.yml", "schemas/*.yaml", "schemas/**/*yaml", "schemas/**/*.yaml"],
+        ".vscode/rule_jsonschema.json": [ "rules/*.yml", "rules/*.yaml", "rules/**/*.yaml", "rules/**/*.yml"]
+    },
     "python.analysis.extraPaths": [
         "global_helpers"
     ],
-    //"python.analysis.logLevel": "Trace",
-    //"files.autoSave": "afterDelay",
     "files.exclude": {
         "**/__pycache": true,
         "**/*pyc": true
     },
-    //"files.associations": {
-    //    "panther_analysis_tool": "python"
-    //}
+    //"python.analysis.logLevel": "Trace",
+    //"files.autoSave": "afterDelay",
+    //"makefile.extensionOutputFolder": "./.vscode",
+    "files.associations": {
+        "panther_analysis_tool": "python"
+    }
 }
diff --git a/.vscode/rule_jsonschema.json b/.vscode/rule_jsonschema.json
@@ -0,0 +1,242 @@
+{
+    "$schema": "http://json-schema.org/draft-07/schema#",
+    "title": "Panther Rule",
+    "description": "A Detection for security events which is based on log data",
+
+    "type": "object",
+    "properties": {
+      "AnalysisType": {
+        "$ref": "#/definitions/AnalysisType"
+      },
+      "DisplayName": {
+        "$ref": "#/definitions/DisplayName"
+      },
+      "Enabled": {
+        "$ref": "#/definitions/Enabled"
+      },
+      "Filename": {
+        "$ref": "#/definitions/Filename"
+      },
+      "RuleID": {
+        "$ref": "#/definitions/RuleID"
+      },
+      "Severity": {
+        "$ref": "#/definitions/Severity"
+      },
+      "Tests": {
+        "type": "array",
+        "items": {"$ref": "#/definitions/UnitTestCase"}
+      },
+      "Description": {
+        "$ref": "#/definitions/Description"
+      },
+      "LogTypes": {
+        "$ref": "#/definitions/LogTypes"
+      },
+      "Tags": {
+        "$ref": "#/definitions/Tags"
+      },
+      "Runbook": {
+        "$ref": "#/definitions/Runbook"
+      },
+      "SummaryAttributes": {
+        "$ref": "#/definitions/SummaryAttributes"
+      },
+      "DedupPeriodMinutes": {
+        "$ref": "#/definitions/DedupPeriodMinutes"
+      },
+      "Reports": {
+        "$ref": "#/definitions/Reports"
+      },
+      "Reference": {
+        "$ref": "#/definitions/Reference"
+      },
+      "Threshold": {
+        "$ref": "#/definitions/Threshold"
+      },
+      "ScheduledQueries": {
+        "$ref": "#/definitions/ScheduledQueries"
+      }
+    },
+    "required": [
+      "AnalysisType",
+      "DisplayName", 
+      "Enabled",
+      "Filename",
+      "RuleID", 
+      "Severity",
+      "Tests"
+    ],
+    "additionalProperties": false,
+    "definitions": {
+      "AnalysisType": {
+        "description": "what kind of detection",
+        "type": "string",
+        "enum": [
+          "rule",
+          "scheduled_rule"
+        ],
+        "default": "rule"
+      },
+      "DisplayName": {
+        "description": "A DisplayName of the detection",
+        "default": "A human friendly name for your detection",
+        "type": "string",
+        "minLength": 1
+      },
+      "Enabled": {
+        "description": "Should this rule run automatically",
+        "type": "boolean",
+        "default": true
+      },
+      "Filename": {
+        "title": "Filename to the python file that acommpanies this detection.",
+        "description": "Python file with the detection logic",
+        "type": "string",
+        "default": "this_file.py"
+      },
+      "RuleID": {
+        "$comment": "https://docs.panther.com/detections/writing-and-editing-detections",
+        "description": "A unique string to identify this rule",
+        "default": "LogType.DetectionClassification.Specific",
+        "type": "string"
+      },
+      "Description": {
+        "$comment": "https://docs.panther.com/detections/writing-and-editing-detections/rules",
+        "description": "Description is a short sentence that describes what the detection detects.",
+        "type": "string"
+      },
+      "DedupPeriodMinutes": {
+        "$comment": "https://docs.panther.com/detections/writing-and-editing-detections/rules",
+        "description": "A number of minutes to supress additional alerts, based on the output of the dedup function",
+        "type": "integer"
+      },
+      "Reference": {
+        "$comment": "https://docs.panther.com/detections/writing-and-editing-detections/rules",
+        "description": "Reference material for alert. This might be a description or a link",
+        "type": "string"
+      },
+      "Reports": {
+        "$comment": "https://docs.panther.com/detections/writing-and-editing-detections/rules",
+        "description": "Reports describe which Benchmarks might apply to the detection, like CIS or ATT&CK",
+        "type": "object"
+      },
+      "ScheduledQueries": {
+        "$comment": "Which scheduled queries feed input to this rule",
+        "description": "Scheduled Query IDs",
+        "type": "string"
+      },
+      "Severity": {
+        "$comment": "What severity should emitted alerts possess?",
+        "description": "Alert severity",
+        "default": "Medium",
+        "type": "string",
+        "enum": [
+            "Info",
+            "Low",
+            "Medium",
+            "High",
+            "Critical"
+          ]
+      },
+      "Threshold": {
+        "$comment": "How many events should match this rule before an alert is fired",
+        "description": "Threshold of event matches before alerting",
+        "default": 1,
+        "type": "integer"
+      },
+      "SummaryAttributes": {
+        "$comment": "Enter the attributes you want to showcase in the alerts that are triggered by this detection",
+        "description": "Enter the attributes you want to showcase in the alerts that are triggered by this detection",
+        "type": "array",
+        "items": [
+          {"type": "string"}
+        ]
+      },
+      "Tags": {
+        "$comment": "Enter custom tags to help you understand the rule at a glance",
+        "description": "Enter custom tags to help you understand the rule at a glance",
+        "type": "array",
+        "items": [
+          {"type": "string"}
+        ]
+      },
+      "LogTypes": {
+        "id": "LogTypes",
+        "description": "which log types should this work against",
+        "type": "array",
+        "items": [
+          {"type": "string"}
+        ],
+        "minItems": 1
+      },
+      "Runbook": {
+        "$comment": "https://docs.panther.com/detections/writing-and-editing-detections",
+        "description": "Runbook instructions go here",
+        "default": "What should people do when this alert fires?",
+        "type": "string",
+        "minLength": 1
+      },
+      "Tests": {
+        "$comment": "https://docs.panther.com/detections/writing-and-editing-detections",
+        "description": "Unit test cases",
+        "type": "array",
+        "items": { "$ref": "#/definitions/UnitTestCase"}
+      },
+      "UnitTestCase": {
+        "type": "object",
+        "properties": {
+          "Name": {
+            "type": "string",
+            "default": "Unit test case name"
+          },
+          "ExpectedResult": {
+            "type": "boolean",
+            "$comment": "If this test case should alert or not",
+            "description": "true for Alert, false for NotAlert.",
+            "default": true
+          },
+          "Log": {
+            "anyOf": [
+              {
+                "if": {
+                  "properties": { "AnalysisType": {"enum": ["rule"]} }
+                },
+                "then": { 
+                  "type": "object",
+                  "comment": "A log entry, json or yaml formatted",
+                  "description": "the log data"
+                },
+                "else": false
+              }
+            ]
+          },
+          "Resource": {
+            "anyOf": [
+              {
+                "if": {
+                  "properties": { "AnalysisType": {"enum": ["scheduled_rule"]} }
+                },
+                "then": { 
+                  "type": "object",
+                  "comment": "A resource definition entry, json or yaml formatted",
+                  "description": "the resource data"
+                },
+                "else": false
+              }
+            ]
+          }
+        },
+        "allOf": [
+          {
+            "if": {
+              "properties": { "AnalysisType": {"enum": ["rule"]} }
+            },
+            "then": { 
+              "required": [ "Name", "ExpectedResult", "Log" ] 
+            }
+          }
+        ]
+      }
+    }
+  }
diff --git a/Makefile b/Makefile
@@ -1,4 +1,24 @@
 dirs := $(shell ls | egrep 'policies|rules|helpers|models|templates' | xargs)
+UNAME := $(shell uname)
+
+ifeq ($(UNAME), Darwin)
+	install_pipenv_cmd = brew install pipenv
+endif
+
+install-pipenv:
+	which pipenv || $(install_pipenv_cmd)
+
+vscode-config: install-pipenv install
+	@echo "backing up existing vscode configs"
+	test -f .vscode/settings.json && cp .vscode/settings.json .vscode/settings_bak.json \
+	   || echo "no existing vscode settings.json file found. continuing"
+	test -f .vscode/launch.json && cp .vscode/launch.json .vscode/launch_bak.json \
+	   || echo "no existing vscode launch.json file found. continuing"
+	@echo "Creating new vscode config files"
+	cp .vscode/example_launch.json  .vscode/launch.json
+	sed -e 's#XXX_pipenv_py_output_XXX#$(shell pipenv --py)#' .vscode/example_settings.json  > .vscode/settings.json
+	which code && code . 
+
 
 ci:
 	pipenv run $(MAKE) lint test

diff --git a/Pipfile b/Pipfile
@@ -10,13 +10,16 @@ click = "~=8.1"
 decorator = "~=5.1"
 isort = "~=5.10.0"
 mypy = "~=0.950"
-panther-analysis-tool = "~=0.19.8"
+panther-analysis-tool = "~=0.22.3"
 pylint = "~=2.15.0"
 pylint-print = "~=1.0.0"
+moto = ">=4.1"
 
 [packages]
 policyuniverse = "==1.5.0.20220613"
 requests = "~=2.27"
+panther-analysis-tool = "~=0.22.3"
+moto = "*"
 
 [requires]
 python_version = "3.9"
Original file line number	Diff line number	Diff line change
Expand Up		@@ -3,4 +3,4 @@

		# These owners will be the default owners for everything in the repo.

		* @panther-labs/detections @panther-labs/security
		* @panther-labs/security