New GitHub Enterprise detections

Patrick Bareiss · Patrick Bareiss · commit e11c55b69bc9 · 2025-01-15T10:39:57.000+01:00
diff --git a/data_sources/github.yml b/data_sources/github.yml
@@ -0,0 +1,32 @@
+name: GitHub
+id: 8a4d656f-8801-4a2c-ae10-553d2696a59f
+version: 1
+date: '2025-01-15'
+author: Patrick Bareiss, Splunk
+description: Data source object for GitHub Enterprise logs
+source: github
+sourcetype: github:cloud:audit
+supported_TA: 
+- name: Splunk Add-on for Github
+  url: https://splunkbase.splunk.com/app/6254
+  version: 3.1.0
+fields:
+- _document_id
+- action
+- actor 
+- actor_id
+- actor_is_bot
+- business
+- business_id
+- created_at
+- operation_type
+- org
+- org_id
+- public_repo
+- repo
+- repo_id
+- request_access_security_header
+- user
+- user_agent
+- user_id
+example_log: '{ @timestamp: 1736850926658 _document_id: fHPRFHOMZNXLxTZrk1w2IQ action: repository_vulnerability_alerts.disable actor: P4T12ICK actor_id: 8362376 actor_ip: 84.128.62.13 actor_is_bot: false actor_location: { [+] } business: pb business_id: 273781 created_at: 1736850926658 operation_type: modify org: pbtest2 org_id: 194489467 public_repo: false repo: pbtest2/pbtest5 repo_id: 916529548 request_access_security_header: null user: P4T12ICK user_agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36 user_id: 8362376 }'
diff --git a/detections/cloud/github_disable_dependabot.yml b/detections/cloud/github_disable_dependabot.yml
@@ -0,0 +1,75 @@
+name: GitHub Disable Dependabot
+id: 787dd1c1-eb3a-4a31-8e8c-2ad24b214bc8
+version: 1
+date: '2025-01-14'
+author: Patrick Bareiss, Splunk
+status: production
+type: Anomaly
+description: The following analytic detects when a user disables Dependabot security features within a GitHub repository. 
+  Dependabot helps automatically identify and fix security vulnerabilities in dependencies. The detection monitors GitHub 
+  Enterprise logs for configuration changes that disable Dependabot functionality. This behavior could indicate an attacker 
+  attempting to prevent the automatic detection of vulnerable dependencies, which would allow them to exploit known vulnerabilities 
+  that would otherwise be patched. For a SOC, identifying the disabling of security features like Dependabot is critical as it may 
+  be a precursor to supply chain attacks where attackers exploit vulnerable dependencies. The impact could be severe if vulnerabilities 
+  remain unpatched, potentially leading to code execution, data theft, or other compromises through the software supply chain.
+data_source:
+- GitHub 
+search: '`github_enterprise` action=repository_vulnerability_alerts.disable OR vendor_action=repository_vulnerability_alerts.disable
+  | fillnull
+  | stats count min(_time) as firstTime max(_time) as lastTime by actor, actor_id, actor_ip, actor_is_bot, actor_location.country_code, business, business_id, org, org_id, repo, repo_id, user, user_agent, user_id, src, action, vendor_action
+  | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` 
+  | `github_disable_dependabot_filter`'
+how_to_implement: You must ingest GitHub Enterprise logs using the Splunk Add-on for GitHub https://splunkbase.splunk.com/app/6254 . 
+known_false_positives: unknown
+references:
+- https://www.googlecloudcommunity.com/gc/Community-Blog/Monitoring-for-Suspicious-GitHub-Activity-with-Google-Security/ba-p/763610
+drilldown_searches:
+- name: View the detection results for - "$user$"
+  search: '%original_detection_search% | search  user = "$user$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: View risk events for the last 7 days for - "$user$"
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+tags:
+  analytic_story:
+  - GitHub Malicious Activity
+  asset_type: GitHub
+  confidence: 90
+  impact: 30
+  message: Dependabot security features are disabled in repository $repo$ by $user$
+  mitre_attack_id:
+  - T1562.001
+  observable:
+  - name: user
+    type: User
+    role:
+    - Victim
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  required_fields:
+  - actor
+  - actor_id
+  - actor_ip
+  - actor_is_bot
+  - actor_location.country_code
+  - business
+  - business_id
+  - org
+  - org_id
+  - repo
+  - repo_id
+  - user
+  - user_agent
+  - user_id
+  risk_score: 27
+  security_domain: network
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/disable_dependabot/github.json
+    source: github
+    sourcetype: github:cloud:audit
diff --git a/macros/github_enterprise.yml b/macros/github_enterprise.yml
@@ -0,0 +1,4 @@
+definition: sourcetype=github:cloud:audit
+description: customer specific splunk configurations(eg- index, source, sourcetype).
+  Replace the macro definition with configurations for your Splunk Environment.
+name: github_enterprise
