From 8ed3d573f5582107873e4671d2394a86e6c5c192 Mon Sep 17 00:00:00 2001
From: Patrick Bareiss <pbareiss@splunk.com>
Date: Thu, 16 Jan 2025 10:36:09 +0100
Subject: [PATCH] new github detections

---
 data_sources/github_enterprise_audit_logs.yml |  2 +-
 .../github_organizations_audit_logs.yml       | 32 ++++++++
 .../github_enterprise_disable_dependabot.yml  |  2 +-
 ...ithub_organizations_disable_dependabot.yml | 77 +++++++++++++++++++
 macros/github_organizations.yml               |  4 +
 5 files changed, 115 insertions(+), 2 deletions(-)
 create mode 100644 data_sources/github_organizations_audit_logs.yml
 create mode 100644 detections/cloud/github_organizations_disable_dependabot.yml
 create mode 100644 macros/github_organizations.yml

diff --git a/data_sources/github_enterprise_audit_logs.yml b/data_sources/github_enterprise_audit_logs.yml
index 73532034df..f2f2da3187 100644
--- a/data_sources/github_enterprise_audit_logs.yml
+++ b/data_sources/github_enterprise_audit_logs.yml
@@ -3,7 +3,7 @@ id: 8a4d656f-8801-4a2c-ae10-553d2696a59f
 version: 1
 date: '2025-01-15'
 author: Patrick Bareiss, Splunk
-description: Data source object for GitHub Enterprise logs
+description: Data source object for GitHub Enterprise logs using Audit log streaming as described in this documentation https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-streaming-to-splunk using a Splunk HTTP Event Collector.
 source: http:github
 sourcetype: httpevent
 supported_TA: 
diff --git a/data_sources/github_organizations_audit_logs.yml b/data_sources/github_organizations_audit_logs.yml
new file mode 100644
index 0000000000..faa3002557
--- /dev/null
+++ b/data_sources/github_organizations_audit_logs.yml
@@ -0,0 +1,32 @@
+name: GitHub Organizations Audit Logs
+id: ce520b1c-79fe-48ef-a0f9-71fbbd4837b0
+version: 1
+date: '2025-01-15'
+author: Patrick Bareiss, Splunk
+description: Data source object for GitHub Organizations logs using the Splunk Add-on for Github using a Personal Access Token.
+source: github
+sourcetype: github:cloud:audit
+supported_TA: 
+- name: Splunk Add-on for Github
+  url: https://splunkbase.splunk.com/app/6254
+  version: 3.1.0
+fields:
+- _document_id
+- action
+- actor 
+- actor_id
+- actor_is_bot
+- business
+- business_id
+- created_at
+- operation_type
+- org
+- org_id
+- public_repo
+- repo
+- repo_id
+- request_access_security_header
+- user
+- user_agent
+- user_id
+example_log: '{ @timestamp: 1736850926658 _document_id: fHPRFHOMZNXLxTZrk1w2IQ action: repository_vulnerability_alerts.disable actor: P4T12ICK actor_id: 8362376 actor_ip: 84.128.62.13 actor_is_bot: false actor_location: { [+] } business: pb business_id: 273781 created_at: 1736850926658 operation_type: modify org: pbtest2 org_id: 194489467 public_repo: false repo: pbtest2/pbtest5 repo_id: 916529548 request_access_security_header: null user: P4T12ICK user_agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36 user_id: 8362376 }'
\ No newline at end of file
diff --git a/detections/cloud/github_enterprise_disable_dependabot.yml b/detections/cloud/github_enterprise_disable_dependabot.yml
index 5a7a8d89eb..b91556d7d7 100644
--- a/detections/cloud/github_enterprise_disable_dependabot.yml
+++ b/detections/cloud/github_enterprise_disable_dependabot.yml
@@ -13,7 +13,7 @@ description: The following analytic detects when a user disables Dependabot secu
   be a precursor to supply chain attacks where attackers exploit vulnerable dependencies. The impact could be severe if vulnerabilities 
   remain unpatched, potentially leading to code execution, data theft, or other compromises through the software supply chain.
 data_source:
-- GitHub 
+- GitHub Enterprise Audit Logs
 search: '`github_enterprise` action=repository_vulnerability_alerts.disable 
   | fillnull
   | stats count min(_time) as firstTime max(_time) as lastTime by actor, actor_id, actor_ip, actor_is_bot, actor_location.country_code, business, business_id, org, org_id, repo, repo_id, user, user_agent, user_id, action
diff --git a/detections/cloud/github_organizations_disable_dependabot.yml b/detections/cloud/github_organizations_disable_dependabot.yml
new file mode 100644
index 0000000000..5bcc3d1e7a
--- /dev/null
+++ b/detections/cloud/github_organizations_disable_dependabot.yml
@@ -0,0 +1,77 @@
+name: GitHub Organizations Disable Dependabot
+id: 69078d8c-0de6-45de-bb00-14e78e042fd6
+version: 1
+date: '2025-01-14'
+author: Patrick Bareiss, Splunk
+status: production
+type: Anomaly
+description: The following analytic detects when a user disables Dependabot security features within a GitHub repository. 
+  Dependabot helps automatically identify and fix security vulnerabilities in dependencies. The detection monitors GitHub 
+  Enterprise logs for configuration changes that disable Dependabot functionality. This behavior could indicate an attacker 
+  attempting to prevent the automatic detection of vulnerable dependencies, which would allow them to exploit known vulnerabilities 
+  that would otherwise be patched. For a SOC, identifying the disabling of security features like Dependabot is critical as it may 
+  be a precursor to supply chain attacks where attackers exploit vulnerable dependencies. The impact could be severe if vulnerabilities 
+  remain unpatched, potentially leading to code execution, data theft, or other compromises through the software supply chain.
+data_source:
+- GitHub Organizations Audit Logs
+search: '`github_organizations` vendor_action=repository_vulnerability_alerts.disable 
+  | fillnull
+  | stats count min(_time) as firstTime max(_time) as lastTime by actor, actor_id, actor_ip, actor_is_bot, actor_location.country_code, business, business_id, org, org_id, repo, repo_id, user, user_agent, user_id, vendor_action
+  | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` 
+  | `github_organizations_disable_dependabot_filter`'
+how_to_implement: You must ingest GitHub Organizations logs using Splunk Add-on for Github using a Personal Access Token https://docs.splunk.com/Documentation/AddOns/released/GitHub/Configureinputs .
+known_false_positives: unknown
+references:
+- https://docs.splunk.com/Documentation/AddOns/released/GitHub/Configureinputs
+- https://www.googlecloudcommunity.com/gc/Community-Blog/Monitoring-for-Suspicious-GitHub-Activity-with-Google-Security/ba-p/763610
+drilldown_searches:
+- name: View the detection results for - "$user$"
+  search: '%original_detection_search% | search  user = "$user$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: View risk events for the last 7 days for - "$user$"
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+tags:
+  analytic_story:
+  - GitHub Malicious Activity
+  asset_type: GitHub
+  confidence: 90
+  impact: 30
+  message: Dependabot security features are disabled in repository $repo$ by $user$
+  mitre_attack_id:
+  - T1562.001
+  observable:
+  - name: user
+    type: User
+    role:
+    - Victim
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  required_fields:
+  - actor
+  - actor_id
+  - actor_ip
+  - actor_is_bot
+  - actor_location.country_code
+  - business
+  - business_id
+  - org
+  - org_id
+  - repo
+  - repo_id
+  - user
+  - user_agent
+  - user_id
+  risk_score: 27
+  security_domain: network
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/disable_dependabot/github.json
+    source: http:github
+    sourcetype: httpevent
+
diff --git a/macros/github_organizations.yml b/macros/github_organizations.yml
new file mode 100644
index 0000000000..bf5087b23f
--- /dev/null
+++ b/macros/github_organizations.yml
@@ -0,0 +1,4 @@
+definition: sourcetype=github:cloud:audit
+description: customer specific splunk configurations(eg- index, source, sourcetype).
+  Replace the macro definition with configurations for your Splunk Environment.
+name: github_organizations
\ No newline at end of file