-
Notifications
You must be signed in to change notification settings - Fork 374
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Patrick Bareiss
committed
Jan 16, 2025
1 parent
75549d2
commit 8ed3d57
Showing
5 changed files
with
115 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,32 @@ | ||
| name: GitHub Organizations Audit Logs | ||
| id: ce520b1c-79fe-48ef-a0f9-71fbbd4837b0 | ||
| version: 1 | ||
| date: '2025-01-15' | ||
| author: Patrick Bareiss, Splunk | ||
| description: Data source object for GitHub Organizations logs using the Splunk Add-on for Github using a Personal Access Token. | ||
| source: github | ||
| sourcetype: github:cloud:audit | ||
| supported_TA: | ||
| - name: Splunk Add-on for Github | ||
| url: https://splunkbase.splunk.com/app/6254 | ||
| version: 3.1.0 | ||
| fields: | ||
| - _document_id | ||
| - action | ||
| - actor | ||
| - actor_id | ||
| - actor_is_bot | ||
| - business | ||
| - business_id | ||
| - created_at | ||
| - operation_type | ||
| - org | ||
| - org_id | ||
| - public_repo | ||
| - repo | ||
| - repo_id | ||
| - request_access_security_header | ||
| - user | ||
| - user_agent | ||
| - user_id | ||
| example_log: '{ @timestamp: 1736850926658 _document_id: fHPRFHOMZNXLxTZrk1w2IQ action: repository_vulnerability_alerts.disable actor: P4T12ICK actor_id: 8362376 actor_ip: 84.128.62.13 actor_is_bot: false actor_location: { [+] } business: pb business_id: 273781 created_at: 1736850926658 operation_type: modify org: pbtest2 org_id: 194489467 public_repo: false repo: pbtest2/pbtest5 repo_id: 916529548 request_access_security_header: null user: P4T12ICK user_agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36 user_id: 8362376 }' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
77 changes: 77 additions & 0 deletions
77
detections/cloud/github_organizations_disable_dependabot.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,77 @@ | ||
| name: GitHub Organizations Disable Dependabot | ||
| id: 69078d8c-0de6-45de-bb00-14e78e042fd6 | ||
| version: 1 | ||
| date: '2025-01-14' | ||
| author: Patrick Bareiss, Splunk | ||
| status: production | ||
| type: Anomaly | ||
| description: The following analytic detects when a user disables Dependabot security features within a GitHub repository. | ||
| Dependabot helps automatically identify and fix security vulnerabilities in dependencies. The detection monitors GitHub | ||
| Enterprise logs for configuration changes that disable Dependabot functionality. This behavior could indicate an attacker | ||
| attempting to prevent the automatic detection of vulnerable dependencies, which would allow them to exploit known vulnerabilities | ||
| that would otherwise be patched. For a SOC, identifying the disabling of security features like Dependabot is critical as it may | ||
| be a precursor to supply chain attacks where attackers exploit vulnerable dependencies. The impact could be severe if vulnerabilities | ||
| remain unpatched, potentially leading to code execution, data theft, or other compromises through the software supply chain. | ||
| data_source: | ||
| - GitHub Organizations Audit Logs | ||
| search: '`github_organizations` vendor_action=repository_vulnerability_alerts.disable | ||
| | fillnull | ||
| | stats count min(_time) as firstTime max(_time) as lastTime by actor, actor_id, actor_ip, actor_is_bot, actor_location.country_code, business, business_id, org, org_id, repo, repo_id, user, user_agent, user_id, vendor_action | ||
| | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | ||
| | `github_organizations_disable_dependabot_filter`' | ||
| how_to_implement: You must ingest GitHub Organizations logs using Splunk Add-on for Github using a Personal Access Token https://docs.splunk.com/Documentation/AddOns/released/GitHub/Configureinputs . | ||
| known_false_positives: unknown | ||
| references: | ||
| - https://docs.splunk.com/Documentation/AddOns/released/GitHub/Configureinputs | ||
| - https://www.googlecloudcommunity.com/gc/Community-Blog/Monitoring-for-Suspicious-GitHub-Activity-with-Google-Security/ba-p/763610 | ||
| drilldown_searches: | ||
| - name: View the detection results for - "$user$" | ||
| search: '%original_detection_search% | search user = "$user$"' | ||
| earliest_offset: $info_min_time$ | ||
| latest_offset: $info_max_time$ | ||
| - name: View risk events for the last 7 days for - "$user$" | ||
| search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' | ||
| earliest_offset: $info_min_time$ | ||
| latest_offset: $info_max_time$ | ||
| tags: | ||
| analytic_story: | ||
| - GitHub Malicious Activity | ||
| asset_type: GitHub | ||
| confidence: 90 | ||
| impact: 30 | ||
| message: Dependabot security features are disabled in repository $repo$ by $user$ | ||
| mitre_attack_id: | ||
| - T1562.001 | ||
| observable: | ||
| - name: user | ||
| type: User | ||
| role: | ||
| - Victim | ||
| product: | ||
| - Splunk Enterprise | ||
| - Splunk Enterprise Security | ||
| - Splunk Cloud | ||
| required_fields: | ||
| - actor | ||
| - actor_id | ||
| - actor_ip | ||
| - actor_is_bot | ||
| - actor_location.country_code | ||
| - business | ||
| - business_id | ||
| - org | ||
| - org_id | ||
| - repo | ||
| - repo_id | ||
| - user | ||
| - user_agent | ||
| - user_id | ||
| risk_score: 27 | ||
| security_domain: network | ||
| tests: | ||
| - name: True Positive Test | ||
| attack_data: | ||
| - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/disable_dependabot/github.json | ||
| source: http:github | ||
| sourcetype: httpevent | ||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,4 @@ | ||
| definition: sourcetype=github:cloud:audit | ||
| description: customer specific splunk configurations(eg- index, source, sourcetype). | ||
| Replace the macro definition with configurations for your Splunk Environment. | ||
| name: github_organizations |