new detections

Patrick Bareiss · Patrick Bareiss · commit 8ef62a239b22 · 2025-01-20T11:48:11.000+01:00
diff --git a/detections/cloud/github_enterprise_created_self_hosted_runner.yml b/detections/cloud/github_enterprise_created_self_hosted_runner.yml
@@ -0,0 +1,72 @@
+name: GitHub Enterprise Created Self Hosted Runner
+id: b27685a2-8826-4123-ab78-2d9d0d419ed0
+version: 1
+date: '2025-01-20'
+author: Patrick Bareiss, Splunk
+status: production
+type: Anomaly
+description: The following analytic identifies when a self-hosted runner is created in GitHub Enterprise. 
+  The detection monitors GitHub Enterprise audit logs for actions related to creating new self-hosted runners at the organization or enterprise level. 
+  his behavior warrants monitoring because self-hosted runners execute workflow jobs on customer-controlled infrastructure, which could be exploited by attackers to 
+  execute malicious code, access sensitive data, or pivot to other systems. While self-hosted runners are a legitimate feature, their creation should be carefully 
+  controlled as compromised runners pose significant security risks. The impact includes potential remote code execution, data exfiltration, and lateral movement 
+  within the environment if a runner is compromised. SOC teams should investigate unexpected runner creation events to verify they are authorized and properly secured, 
+  especially if created by unfamiliar users or in unusual contexts.
+data_source:
+- GitHub Enterprise Audit Logs
+search: '`github_enterprise` action=enterprise.register_self_hosted_runner
+  | fillnull
+  | stats count min(_time) as firstTime max(_time) as lastTime by actor, actor_id, actor_is_bot, actor_location.country_code, business, business_id, user_agent, action
+  | eval user=actor
+  | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` 
+  | `github_enterprise_disabled_ip_allow_list_filter`'
+how_to_implement: You must ingest GitHub Enterprise logs using Audit log streaming as described in this documentation https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-streaming-to-splunk using a Splunk HTTP Event Collector.
+known_false_positives: unknown
+references:
+- https://www.googlecloudcommunity.com/gc/Community-Blog/Monitoring-for-Suspicious-GitHub-Activity-with-Google-Security/ba-p/763610
+- https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-streaming-to-splunk
+drilldown_searches:
+- name: View the detection results for - "$user$"
+  search: '%original_detection_search% | search  user = "$user$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: View risk events for the last 7 days for - "$user$"
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+tags:
+  analytic_story:
+  - GitHub Malicious Activity
+  asset_type: GitHub
+  confidence: 90
+  impact: 30
+  message: $user$ created a self-hosted runner in GitHub Enterprise
+  mitre_attack_id:
+  - T1562.001
+  observable:
+  - name: user
+    type: User
+    role:
+    - Victim
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  required_fields:
+  - actor
+  - actor_id
+  - actor_is_bot
+  - actor_location.country_code
+  - business
+  - business_id
+  - user_agent
+  risk_score: 27
+  security_domain: network
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/github_created_self_hosted_runner/github.json
+    source: http:github
+    sourcetype: httpevent
+
+
diff --git a/detections/cloud/github_enterprise_disabled_ip_allow_list.yml b/detections/cloud/github_enterprise_disabled_ip_allow_list.yml
@@ -0,0 +1,72 @@
+name: GitHub Enterprise Disable IP Allow List
+id: afed020e-edcd-4913-a675-cebedf81d4fb
+version: 1
+date: '2025-01-20'
+author: Patrick Bareiss, Splunk
+status: production
+type: Anomaly
+description: The following analytic identifies when an IP allow list is disabled in GitHub Enterprise. 
+  The detection monitors GitHub Enterprise audit logs for actions related to disabling IP allow lists at the organization or enterprise level. 
+  This behavior is concerning because IP allow lists are a critical security control that restricts access to GitHub Enterprise resources to only 
+  trusted IP addresses. When disabled, it could indicate an attacker attempting to bypass access controls to gain unauthorized access from untrusted 
+  networks. The impact includes potential exposure of sensitive code repositories and GitHub Enterprise resources to access from any IP address. 
+  SOC teams should investigate such events, especially if they were not pre-approved changes, as they may indicate compromise of admin credentials 
+  or malicious insider activity.
+data_source:
+- GitHub Enterprise Audit Logs
+search: '`github_enterprise` action=ip_allow_list.disable
+  | fillnull
+  | stats count min(_time) as firstTime max(_time) as lastTime by actor, actor_id, actor_is_bot, actor_location.country_code, business, business_id, user_agent, user_id, action
+  | eval user=actor
+  | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` 
+  | `github_enterprise_disabled_ip_allow_list_filter`'
+how_to_implement: You must ingest GitHub Enterprise logs using Audit log streaming as described in this documentation https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-streaming-to-splunk using a Splunk HTTP Event Collector.
+known_false_positives: unknown
+references:
+- https://www.googlecloudcommunity.com/gc/Community-Blog/Monitoring-for-Suspicious-GitHub-Activity-with-Google-Security/ba-p/763610
+- https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-streaming-to-splunk
+drilldown_searches:
+- name: View the detection results for - "$user$"
+  search: '%original_detection_search% | search  user = "$user$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: View risk events for the last 7 days for - "$user$"
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+tags:
+  analytic_story:
+  - GitHub Malicious Activity
+  asset_type: GitHub
+  confidence: 90
+  impact: 30
+  message: $user$ disabled an IP allow list in GitHub Enterprise
+  mitre_attack_id:
+  - T1562.001
+  observable:
+  - name: user
+    type: User
+    role:
+    - Victim
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  required_fields:
+  - actor
+  - actor_id
+  - actor_is_bot
+  - actor_location.country_code
+  - business
+  - business_id
+  - user_agent
+  risk_score: 27
+  security_domain: network
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/github_disable_ip_allow_list/github.json
+    source: http:github
+    sourcetype: httpevent
+
+
