Improve detection

Patrick Bareiss · Patrick Bareiss · commit a31b2d4ee11c · 2025-01-15T11:39:58.000+01:00
diff --git a/detections/cloud/github_disable_dependabot.yml b/detections/cloud/github_disable_dependabot.yml
@@ -14,15 +14,16 @@ description: The following analytic detects when a user disables Dependabot secu
   remain unpatched, potentially leading to code execution, data theft, or other compromises through the software supply chain.
 data_source:
 - GitHub 
-search: '`github_enterprise` action=repository_vulnerability_alerts.disable OR vendor_action=repository_vulnerability_alerts.disable
+search: '`github_enterprise` action=repository_vulnerability_alerts.disable 
   | fillnull
-  | stats count min(_time) as firstTime max(_time) as lastTime by actor, actor_id, actor_ip, actor_is_bot, actor_location.country_code, business, business_id, org, org_id, repo, repo_id, user, user_agent, user_id, action, vendor_action
+  | stats count min(_time) as firstTime max(_time) as lastTime by actor, actor_id, actor_ip, actor_is_bot, actor_location.country_code, business, business_id, org, org_id, repo, repo_id, user, user_agent, user_id, action
   | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` 
   | `github_disable_dependabot_filter`'
-how_to_implement: You must ingest GitHub Enterprise logs using the Splunk Add-on for GitHub https://splunkbase.splunk.com/app/6254 . 
+how_to_implement: You must ingest GitHub Enterprise logs using Audit log streaming as described in this documentation https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-streaming-to-splunk .
 known_false_positives: unknown
 references:
 - https://www.googlecloudcommunity.com/gc/Community-Blog/Monitoring-for-Suspicious-GitHub-Activity-with-Google-Security/ba-p/763610
+- https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-streaming-to-splunk
 drilldown_searches:
 - name: View the detection results for - "$user$"
   search: '%original_detection_search% | search  user = "$user$"'
@@ -71,5 +72,5 @@ tests:
 - name: True Positive Test
   attack_data:
   - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/disable_dependabot/github.json
-    source: github
-    sourcetype: github:cloud:audit
+    source: http:github
+    sourcetype: httpevent
