-
Notifications
You must be signed in to change notification settings - Fork 374
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Patrick Bareiss
committed
Jan 16, 2025
1 parent
f488218
commit 1e203ab
Showing
2 changed files
with
149 additions
and
0 deletions.
There are no files selected for viewing
73 changes: 73 additions & 0 deletions
73
detections/cloud/github_enterprise_remove_organization.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,73 @@ | ||
| name: GitHub Enterprise Remove Organization | ||
| id: 94cb89aa-aec1-4585-91b1-affcdacf357e | ||
| version: 1 | ||
| date: '2025-01-16' | ||
| author: Patrick Bareiss, Splunk | ||
| status: production | ||
| type: Anomaly | ||
| description: The following analytic detects when a user removes an organization from GitHub Enterprise. | ||
| The detection monitors GitHub Enterprise audit logs for organization deletion events, which could indicate unauthorized removal of critical business resources. | ||
| For a SOC, identifying organization removals is crucial as it may signal account compromise, insider threats, or malicious attempts to disrupt business operations | ||
| by deleting entire organizational structures. The impact could be severe, potentially resulting in loss of source code, repositories, team structures, access controls, | ||
| and other critical organizational assets. This disruption could halt development workflows, cause data loss, and require significant effort to restore from backups | ||
| if available. Additionally, unauthorized organization removal could be part of a larger attack campaign aimed at destroying or compromising enterprise assets. | ||
| data_source: | ||
| - GitHub Enterprise Audit Logs | ||
| search: '`github_enterprise` action=business.remove_organization | ||
| | fillnull | ||
| | stats count min(_time) as firstTime max(_time) as lastTime by actor, actor_id, actor_ip, actor_is_bot, actor_location.country_code, business, business_id, org, org_id, user_agent, action | ||
| | eval user=actor | ||
| | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | ||
| | `github_enterprise_remove_organization_filter`' | ||
| how_to_implement: You must ingest GitHub Enterprise logs using Audit log streaming as described in this documentation https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-streaming-to-splunk using a Splunk HTTP Event Collector. | ||
| known_false_positives: unknown | ||
| references: | ||
| - https://www.googlecloudcommunity.com/gc/Community-Blog/Monitoring-for-Suspicious-GitHub-Activity-with-Google-Security/ba-p/763610 | ||
| - https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-streaming-to-splunk | ||
| drilldown_searches: | ||
| - name: View the detection results for - "$user$" | ||
| search: '%original_detection_search% | search user = "$user$"' | ||
| earliest_offset: $info_min_time$ | ||
| latest_offset: $info_max_time$ | ||
| - name: View risk events for the last 7 days for - "$user$" | ||
| search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' | ||
| earliest_offset: $info_min_time$ | ||
| latest_offset: $info_max_time$ | ||
| tags: | ||
| analytic_story: | ||
| - GitHub Malicious Activity | ||
| asset_type: GitHub | ||
| confidence: 90 | ||
| impact: 30 | ||
| message: $user$ removed an organization from GitHub Enterprise | ||
| mitre_attack_id: | ||
| - T1485 | ||
| observable: | ||
| - name: user | ||
| type: User | ||
| role: | ||
| - Victim | ||
| product: | ||
| - Splunk Enterprise | ||
| - Splunk Enterprise Security | ||
| - Splunk Cloud | ||
| required_fields: | ||
| - actor | ||
| - actor_id | ||
| - actor_ip | ||
| - actor_is_bot | ||
| - actor_location.country_code | ||
| - business | ||
| - business_id | ||
| - org | ||
| - org_id | ||
| - user_agent | ||
| risk_score: 27 | ||
| security_domain: network | ||
| tests: | ||
| - name: True Positive Test | ||
| attack_data: | ||
| - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/github_remove_organization/github.json | ||
| source: http:github | ||
| sourcetype: httpevent | ||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,76 @@ | ||
| name: GitHub Enterprise Repository Deleted | ||
| id: f709e736-3e6c-492f-b865-bc7696cc24a7 | ||
| version: 1 | ||
| date: '2025-01-16' | ||
| author: Patrick Bareiss, Splunk | ||
| status: production | ||
| type: Anomaly | ||
| description: The following analytic detects when a user deletes a repository in GitHub Enterprise. | ||
| The detection monitors GitHub Enterprise audit logs for repository deletion events, which could indicate unauthorized removal of critical source code and project resources. | ||
| For a SOC, identifying repository deletions is crucial as it may signal account compromise, insider threats, or malicious attempts to destroy intellectual property and | ||
| disrupt development operations. The impact could be severe, potentially resulting in permanent loss of source code, documentation, project history, and other critical assets | ||
| if proper backups are not maintained. Repository deletion could halt development workflows, cause significant business disruption, and require substantial effort to restore | ||
| from backups if available. Additionally, unauthorized repository removal could be part of a larger attack campaign aimed at destroying or compromising enterprise assets. | ||
| data_source: | ||
| - GitHub Enterprise Audit Logs | ||
| search: '`github_enterprise` action=repo.destroy | ||
| | fillnull | ||
| | stats count min(_time) as firstTime max(_time) as lastTime by actor, actor_id, actor_ip, actor_is_bot, actor_location.country_code, business, business_id, org, org_id, repo, repo_id, user_agent, visibility, action | ||
| | eval user=actor | ||
| | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | ||
| | `github_enterprise_repository_deleted_filter`' | ||
| how_to_implement: You must ingest GitHub Enterprise logs using Audit log streaming as described in this documentation https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-streaming-to-splunk using a Splunk HTTP Event Collector. | ||
| known_false_positives: unknown | ||
| references: | ||
| - https://www.googlecloudcommunity.com/gc/Community-Blog/Monitoring-for-Suspicious-GitHub-Activity-with-Google-Security/ba-p/763610 | ||
| - https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-streaming-to-splunk | ||
| drilldown_searches: | ||
| - name: View the detection results for - "$user$" | ||
| search: '%original_detection_search% | search user = "$user$"' | ||
| earliest_offset: $info_min_time$ | ||
| latest_offset: $info_max_time$ | ||
| - name: View risk events for the last 7 days for - "$user$" | ||
| search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' | ||
| earliest_offset: $info_min_time$ | ||
| latest_offset: $info_max_time$ | ||
| tags: | ||
| analytic_story: | ||
| - GitHub Malicious Activity | ||
| asset_type: GitHub | ||
| confidence: 90 | ||
| impact: 30 | ||
| message: $user$ deleted a repository in GitHub Enterprise | ||
| mitre_attack_id: | ||
| - T1485 | ||
| observable: | ||
| - name: user | ||
| type: User | ||
| role: | ||
| - Victim | ||
| product: | ||
| - Splunk Enterprise | ||
| - Splunk Enterprise Security | ||
| - Splunk Cloud | ||
| required_fields: | ||
| - actor | ||
| - actor_id | ||
| - actor_ip | ||
| - actor_is_bot | ||
| - actor_location.country_code | ||
| - business | ||
| - business_id | ||
| - org | ||
| - org_id | ||
| - repo | ||
| - repo_id | ||
| - user_agent | ||
| risk_score: 27 | ||
| security_domain: network | ||
| tests: | ||
| - name: True Positive Test | ||
| attack_data: | ||
| - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/github_delete_repository/github.json | ||
| source: http:github | ||
| sourcetype: httpevent | ||
|
|
||
|
|