diff --git a/data_sources/github.yml b/data_sources/github.yml new file mode 100644 index 0000000000..61a065bab2 --- /dev/null +++ b/data_sources/github.yml @@ -0,0 +1,32 @@ +name: GitHub +id: 8a4d656f-8801-4a2c-ae10-553d2696a59f +version: 1 +date: '2025-01-15' +author: Patrick Bareiss, Splunk +description: Data source object for GitHub Enterprise logs +source: github +sourcetype: github:cloud:audit +supported_TA: +- name: Splunk Add-on for Github + url: https://splunkbase.splunk.com/app/6254 + version: 3.1.0 +fields: +- _document_id +- action +- actor +- actor_id +- actor_is_bot +- business +- business_id +- created_at +- operation_type +- org +- org_id +- public_repo +- repo +- repo_id +- request_access_security_header +- user +- user_agent +- user_id +example_log: '{ @timestamp: 1736850926658 _document_id: fHPRFHOMZNXLxTZrk1w2IQ action: repository_vulnerability_alerts.disable actor: P4T12ICK actor_id: 8362376 actor_ip: 84.128.62.13 actor_is_bot: false actor_location: { [+] } business: pb business_id: 273781 created_at: 1736850926658 operation_type: modify org: pbtest2 org_id: 194489467 public_repo: false repo: pbtest2/pbtest5 repo_id: 916529548 request_access_security_header: null user: P4T12ICK user_agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36 user_id: 8362376 }' \ No newline at end of file diff --git a/detections/cloud/github_disable_dependabot.yml b/detections/cloud/github_disable_dependabot.yml new file mode 100644 index 0000000000..c671aeba8b --- /dev/null +++ b/detections/cloud/github_disable_dependabot.yml @@ -0,0 +1,75 @@ +name: GitHub Disable Dependabot +id: 787dd1c1-eb3a-4a31-8e8c-2ad24b214bc8 +version: 1 +date: '2025-01-14' +author: Patrick Bareiss, Splunk +status: production +type: Anomaly +description: The following analytic detects when a user disables Dependabot security features within a GitHub repository. + Dependabot helps automatically identify and fix security vulnerabilities in dependencies. The detection monitors GitHub + Enterprise logs for configuration changes that disable Dependabot functionality. This behavior could indicate an attacker + attempting to prevent the automatic detection of vulnerable dependencies, which would allow them to exploit known vulnerabilities + that would otherwise be patched. For a SOC, identifying the disabling of security features like Dependabot is critical as it may + be a precursor to supply chain attacks where attackers exploit vulnerable dependencies. The impact could be severe if vulnerabilities + remain unpatched, potentially leading to code execution, data theft, or other compromises through the software supply chain. +data_source: +- GitHub +search: '`github_enterprise` action=repository_vulnerability_alerts.disable OR vendor_action=repository_vulnerability_alerts.disable + | fillnull + | stats count min(_time) as firstTime max(_time) as lastTime by actor, actor_id, actor_ip, actor_is_bot, actor_location.country_code, business, business_id, org, org_id, repo, repo_id, user, user_agent, user_id, src, action, vendor_action + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `github_disable_dependabot_filter`' +how_to_implement: You must ingest GitHub Enterprise logs using the Splunk Add-on for GitHub https://splunkbase.splunk.com/app/6254 . +known_false_positives: unknown +references: +- https://www.googlecloudcommunity.com/gc/Community-Blog/Monitoring-for-Suspicious-GitHub-Activity-with-Google-Security/ba-p/763610 +drilldown_searches: +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +tags: + analytic_story: + - GitHub Malicious Activity + asset_type: GitHub + confidence: 90 + impact: 30 + message: Dependabot security features are disabled in repository $repo$ by $user$ + mitre_attack_id: + - T1562.001 + observable: + - name: user + type: User + role: + - Victim + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - actor + - actor_id + - actor_ip + - actor_is_bot + - actor_location.country_code + - business + - business_id + - org + - org_id + - repo + - repo_id + - user + - user_agent + - user_id + risk_score: 27 + security_domain: network +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/disable_dependabot/github.json + source: github + sourcetype: github:cloud:audit diff --git a/macros/github_enterprise.yml b/macros/github_enterprise.yml new file mode 100644 index 0000000000..5028602761 --- /dev/null +++ b/macros/github_enterprise.yml @@ -0,0 +1,4 @@ +definition: sourcetype=github:cloud:audit +description: customer specific splunk configurations(eg- index, source, sourcetype). + Replace the macro definition with configurations for your Splunk Environment. +name: github_enterprise \ No newline at end of file