new github detections

Patrick Bareiss · Patrick Bareiss · commit 8ed3d573f558 · 2025-01-16T10:36:09.000+01:00
diff --git a/data_sources/github_enterprise_audit_logs.yml b/data_sources/github_enterprise_audit_logs.yml
@@ -3,7 +3,7 @@ id: 8a4d656f-8801-4a2c-ae10-553d2696a59f
 version: 1
 date: '2025-01-15'
 author: Patrick Bareiss, Splunk
-description: Data source object for GitHub Enterprise logs
+description: Data source object for GitHub Enterprise logs using Audit log streaming as described in this documentation https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-streaming-to-splunk using a Splunk HTTP Event Collector.
 source: http:github
 sourcetype: httpevent
 supported_TA: 
diff --git a/data_sources/github_organizations_audit_logs.yml b/data_sources/github_organizations_audit_logs.yml
@@ -0,0 +1,32 @@
+name: GitHub Organizations Audit Logs
+id: ce520b1c-79fe-48ef-a0f9-71fbbd4837b0
+version: 1
+date: '2025-01-15'
+author: Patrick Bareiss, Splunk
+description: Data source object for GitHub Organizations logs using the Splunk Add-on for Github using a Personal Access Token.
+source: github
+sourcetype: github:cloud:audit
+supported_TA: 
+- name: Splunk Add-on for Github
+  url: https://splunkbase.splunk.com/app/6254
+  version: 3.1.0
+fields:
+- _document_id
+- action
+- actor 
+- actor_id
+- actor_is_bot
+- business
+- business_id
+- created_at
+- operation_type
+- org
+- org_id
+- public_repo
+- repo
+- repo_id
+- request_access_security_header
+- user
+- user_agent
+- user_id
+example_log: '{ @timestamp: 1736850926658 _document_id: fHPRFHOMZNXLxTZrk1w2IQ action: repository_vulnerability_alerts.disable actor: P4T12ICK actor_id: 8362376 actor_ip: 84.128.62.13 actor_is_bot: false actor_location: { [+] } business: pb business_id: 273781 created_at: 1736850926658 operation_type: modify org: pbtest2 org_id: 194489467 public_repo: false repo: pbtest2/pbtest5 repo_id: 916529548 request_access_security_header: null user: P4T12ICK user_agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36 user_id: 8362376 }'
diff --git a/detections/cloud/github_enterprise_disable_dependabot.yml b/detections/cloud/github_enterprise_disable_dependabot.yml
@@ -13,7 +13,7 @@ description: The following analytic detects when a user disables Dependabot secu
   be a precursor to supply chain attacks where attackers exploit vulnerable dependencies. The impact could be severe if vulnerabilities 
   remain unpatched, potentially leading to code execution, data theft, or other compromises through the software supply chain.
 data_source:
-- GitHub 
+- GitHub Enterprise Audit Logs
 search: '`github_enterprise` action=repository_vulnerability_alerts.disable 
   | fillnull
   | stats count min(_time) as firstTime max(_time) as lastTime by actor, actor_id, actor_ip, actor_is_bot, actor_location.country_code, business, business_id, org, org_id, repo, repo_id, user, user_agent, user_id, action
diff --git a/detections/cloud/github_organizations_disable_dependabot.yml b/detections/cloud/github_organizations_disable_dependabot.yml
@@ -0,0 +1,77 @@
+name: GitHub Organizations Disable Dependabot
+id: 69078d8c-0de6-45de-bb00-14e78e042fd6
+version: 1
+date: '2025-01-14'
+author: Patrick Bareiss, Splunk
+status: production
+type: Anomaly
+description: The following analytic detects when a user disables Dependabot security features within a GitHub repository. 
+  Dependabot helps automatically identify and fix security vulnerabilities in dependencies. The detection monitors GitHub 
+  Enterprise logs for configuration changes that disable Dependabot functionality. This behavior could indicate an attacker 
+  attempting to prevent the automatic detection of vulnerable dependencies, which would allow them to exploit known vulnerabilities 
+  that would otherwise be patched. For a SOC, identifying the disabling of security features like Dependabot is critical as it may 
+  be a precursor to supply chain attacks where attackers exploit vulnerable dependencies. The impact could be severe if vulnerabilities 
+  remain unpatched, potentially leading to code execution, data theft, or other compromises through the software supply chain.
+data_source:
+- GitHub Organizations Audit Logs
+search: '`github_organizations` vendor_action=repository_vulnerability_alerts.disable 
+  | fillnull
+  | stats count min(_time) as firstTime max(_time) as lastTime by actor, actor_id, actor_ip, actor_is_bot, actor_location.country_code, business, business_id, org, org_id, repo, repo_id, user, user_agent, user_id, vendor_action
+  | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` 
+  | `github_organizations_disable_dependabot_filter`'
+how_to_implement: You must ingest GitHub Organizations logs using Splunk Add-on for Github using a Personal Access Token https://docs.splunk.com/Documentation/AddOns/released/GitHub/Configureinputs .
+known_false_positives: unknown
+references:
+- https://docs.splunk.com/Documentation/AddOns/released/GitHub/Configureinputs
+- https://www.googlecloudcommunity.com/gc/Community-Blog/Monitoring-for-Suspicious-GitHub-Activity-with-Google-Security/ba-p/763610
+drilldown_searches:
+- name: View the detection results for - "$user$"
+  search: '%original_detection_search% | search  user = "$user$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: View risk events for the last 7 days for - "$user$"
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+tags:
+  analytic_story:
+  - GitHub Malicious Activity
+  asset_type: GitHub
+  confidence: 90
+  impact: 30
+  message: Dependabot security features are disabled in repository $repo$ by $user$
+  mitre_attack_id:
+  - T1562.001
+  observable:
+  - name: user
+    type: User
+    role:
+    - Victim
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  required_fields:
+  - actor
+  - actor_id
+  - actor_ip
+  - actor_is_bot
+  - actor_location.country_code
+  - business
+  - business_id
+  - org
+  - org_id
+  - repo
+  - repo_id
+  - user
+  - user_agent
+  - user_id
+  risk_score: 27
+  security_domain: network
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/disable_dependabot/github.json
+    source: http:github
+    sourcetype: httpevent
+
diff --git a/macros/github_organizations.yml b/macros/github_organizations.yml
@@ -0,0 +1,4 @@
+definition: sourcetype=github:cloud:audit
+description: customer specific splunk configurations(eg- index, source, sourcetype).
+  Replace the macro definition with configurations for your Splunk Environment.
+name: github_organizations
