new detections

Author: Patrick Bareiss

detections/cloud/github_enterprise_delete_branch_ruleset.yml

@@ -0,0 +1,78 @@
+name: GitHub Enterprise Delete Branch Ruleset
+id: 6169ea23-3719-439f-957a-0ea5174b70e2
+version: 1
+date: '2025-01-17'
+author: Patrick Bareiss, Splunk
+status: production
+type: Anomaly
+description: The following analytic detects when branch rules are deleted in GitHub Enterprise. 
+  The detection monitors GitHub Enterprise audit logs for branch rule deletion events by tracking actor details, repository information, 
+  and associated metadata. For a SOC, identifying deleted branch rules is critical as it could indicate attempts to bypass code review requirements 
+  and security controls. Branch deletion rules are essential security controls that enforce code review, prevent force pushes, and maintain code quality. 
+  Disabling these protections could allow malicious actors to directly push unauthorized code changes or backdoors to protected branches. The impact of 
+  disabled branch protection includes potential code tampering, bypass of security reviews, introduction of vulnerabilities or malicious code, and compromise 
+  of software supply chain integrity. This activity could be part of a larger attack chain where an adversary first disables security controls before attempting 
+  to inject malicious code.
+data_source:
+- GitHub Enterprise Audit Logs
+search: '`github_enterprise` action=repository_ruleset.destroy
+  | fillnull
+  | stats count min(_time) as firstTime max(_time) as lastTime by actor, actor_id, actor_ip, actor_is_bot, actor_location.country_code, business, business_id, org, org_id, repo, repo_id, user_agent, action, ruleset_name
+  | eval user=actor
+  | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` 
+  | `github_enterprise_delete_branch_ruleset_filter`'
+how_to_implement: You must ingest GitHub Enterprise logs using Audit log streaming as described in this documentation https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-streaming-to-splunk using a Splunk HTTP Event Collector.
+known_false_positives: unknown
+references:
+- https://www.googlecloudcommunity.com/gc/Community-Blog/Monitoring-for-Suspicious-GitHub-Activity-with-Google-Security/ba-p/763610
+- https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-streaming-to-splunk
+drilldown_searches:
+- name: View the detection results for - "$user$"
+  search: '%original_detection_search% | search  user = "$user$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: View risk events for the last 7 days for - "$user$"
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+tags:
+  analytic_story:
+  - GitHub Malicious Activity
+  asset_type: GitHub
+  confidence: 90
+  impact: 30
+  message: $user$ deleted a branch ruleset in repo $repo$
+  mitre_attack_id:
+  - T1562.001
+  observable:
+  - name: user
+    type: User
+    role:
+    - Victim
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  required_fields:
+  - actor
+  - actor_id
+  - actor_is_bot
+  - actor_location.country_code
+  - business
+  - business_id
+  - org
+  - org_id
+  - repo
+  - repo_id
+  - user_agent
+  - ruleset_name
+  risk_score: 27
+  security_domain: network
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/github_delete_branch_ruleset/github.json
+    source: http:github
+    sourcetype: httpevent
+
+

detections/cloud/github_enterprise_disable_classic_branch_protection_rule.yml

@@ -0,0 +1,78 @@
+name: GitHub Enterprise Disable Classic Branch Protection Rule
+id: 372176ba-450c-4abd-9b86-419bb44c1b76
+version: 1
+date: '2025-01-17'
+author: Patrick Bareiss, Splunk
+status: production
+type: Anomaly
+description: The following analytic detects when classic branch protection rules are disabled in GitHub Enterprise. 
+  The detection monitors GitHub Enterprise audit logs for branch protection removal events by tracking actor details, repository information, 
+  and associated metadata. For a SOC, identifying disabled branch protection is critical as it could indicate attempts to bypass code review requirements 
+  and security controls. Branch protection rules are essential security controls that enforce code review, prevent force pushes, and maintain code quality. 
+  Disabling these protections could allow malicious actors to directly push unauthorized code changes or backdoors to protected branches. The impact of 
+  disabled branch protection includes potential code tampering, bypass of security reviews, introduction of vulnerabilities or malicious code, and compromise 
+  of software supply chain integrity. This activity could be part of a larger attack chain where an adversary first disables security controls before attempting 
+  to inject malicious code.
+data_source:
+- GitHub Enterprise Audit Logs
+search: '`github_enterprise` action=protected_branch.destroy 
+  | fillnull
+  | stats count min(_time) as firstTime max(_time) as lastTime by actor, actor_id, actor_ip, actor_is_bot, actor_location.country_code, business, business_id, org, org_id, repo, repo_id, user_agent, action, name
+  | eval user=actor
+  | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` 
+  | `github_enterprise_disable_classic_branch_protection_rule_filter`'
+how_to_implement: You must ingest GitHub Enterprise logs using Audit log streaming as described in this documentation https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-streaming-to-splunk using a Splunk HTTP Event Collector.
+known_false_positives: unknown
+references:
+- https://www.googlecloudcommunity.com/gc/Community-Blog/Monitoring-for-Suspicious-GitHub-Activity-with-Google-Security/ba-p/763610
+- https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-streaming-to-splunk
+drilldown_searches:
+- name: View the detection results for - "$user$"
+  search: '%original_detection_search% | search  user = "$user$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: View risk events for the last 7 days for - "$user$"
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+tags:
+  analytic_story:
+  - GitHub Malicious Activity
+  asset_type: GitHub
+  confidence: 90
+  impact: 30
+  message: $user$ disabled a classic branch protection rule in repo $repo$
+  mitre_attack_id:
+  - T1562.001
+  observable:
+  - name: user
+    type: User
+    role:
+    - Victim
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  required_fields:
+  - actor
+  - actor_id
+  - actor_is_bot
+  - actor_location.country_code
+  - business
+  - business_id
+  - org
+  - org_id
+  - repo
+  - repo_id
+  - user_agent
+  - name
+  risk_score: 27
+  security_domain: network
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/github_disable_classic_branch_protection/github.json
+    source: http:github
+    sourcetype: httpevent
+
+

detections/cloud/github_organizations_delete_branch_ruleset.yml

@@ -0,0 +1,80 @@
+name: GitHub Organizations Delete Branch Ruleset
+id: 8e454f64-4bd6-45e6-8a94-1b482593d721
+version: 1
+date: '2025-01-17'
+author: Patrick Bareiss, Splunk
+status: production
+type: Anomaly
+description: The following analytic detects when branch rulesets are deleted in GitHub Organizations. 
+  The detection monitors GitHub Organizations audit logs for branch ruleset deletion events by tracking actor details, repository information, 
+  and associated metadata. For a SOC, identifying deleted branch rulesets is critical as it could indicate attempts to bypass code review requirements 
+  and security controls. Branch rulesets are essential security controls that enforce code review, prevent force pushes, and maintain code quality. 
+  Disabling these protections could allow malicious actors to directly push unauthorized code changes or backdoors to protected branches. 
+  The impact of disabled branch protection includes potential code tampering, bypass of security reviews, introduction of vulnerabilities or malicious code, 
+  and compromise of software supply chain integrity. This activity could be part of a larger attack chain where an adversary first disables security controls 
+  before attempting to inject malicious code.
+data_source:
+- GitHub Organizations Audit Logs
+search: '`github_organizations` vendor_action=repository_ruleset.destroy 
+  | fillnull
+  | stats count min(_time) as firstTime max(_time) as lastTime by actor, actor_id, actor_ip, actor_is_bot, actor_location.country_code, business, business_id, org, org_id, repo, repo_id, user_agent, vendor_action, ruleset_name
+  | eval user=actor
+  | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` 
+  | `github_organizations_delete_branch_ruleset_filter`'
+how_to_implement: You must ingest GitHub Organizations logs using Splunk Add-on for Github using a Personal Access Token https://docs.splunk.com/Documentation/AddOns/released/GitHub/Configureinputs .
+known_false_positives: unknown
+references:
+- https://docs.splunk.com/Documentation/AddOns/released/GitHub/Configureinputs
+- https://www.googlecloudcommunity.com/gc/Community-Blog/Monitoring-for-Suspicious-GitHub-Activity-with-Google-Security/ba-p/763610
+drilldown_searches:
+- name: View the detection results for - "$user$"
+  search: '%original_detection_search% | search  user = "$user$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: View risk events for the last 7 days for - "$user$"
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+tags:
+  analytic_story:
+  - GitHub Malicious Activity
+  asset_type: GitHub
+  confidence: 90
+  impact: 30
+  message: $user$ deleted a branch ruleset in repo $repo$
+  mitre_attack_id:
+  - T1562.001
+  observable:
+  - name: user
+    type: User
+    role:
+    - Victim
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  required_fields:
+  - actor
+  - actor_id
+  - actor_ip
+  - actor_is_bot
+  - actor_location.country_code
+  - business
+  - business_id
+  - org
+  - org_id
+  - repo
+  - repo_id
+  - user
+  - user_agent
+  - user_id
+  - name
+  risk_score: 27
+  security_domain: network
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/github_delete_branch_ruleset/github.json
+    source: github
+    sourcetype: github:cloud:audit
+

detections/cloud/github_organizations_disable_classic_branch_protection_rule..yml

@@ -0,0 +1,80 @@
+name: GitHub Organizations Disable Classic Branch Protection Rule
+id: 33cffee0-41ee-402e-a238-d37825f2d788
+version: 1
+date: '2025-01-17'
+author: Patrick Bareiss, Splunk
+status: production
+type: Anomaly
+description: The following analytic detects when classic branch protection rules are disabled in GitHub Organizations. 
+  The detection monitors GitHub Organizations audit logs for branch protection removal events by tracking actor details, repository information, 
+  and associated metadata. For a SOC, identifying disabled branch protection is critical as it could indicate attempts to bypass code review requirements 
+  and security controls. Branch protection rules are essential security controls that enforce code review, prevent force pushes, and maintain code quality. 
+  Disabling these protections could allow malicious actors to directly push unauthorized code changes or backdoors to protected branches. 
+  The impact of disabled branch protection includes potential code tampering, bypass of security reviews, introduction of vulnerabilities 
+  or malicious code, and compromise of software supply chain integrity. This activity could be part of a larger attack chain where an adversary 
+  first disables security controls before attempting to inject malicious code.
+data_source:
+- GitHub Organizations Audit Logs
+search: '`github_organizations` vendor_action=protected_branch.destroy 
+  | fillnull
+  | stats count min(_time) as firstTime max(_time) as lastTime by actor, actor_id, actor_ip, actor_is_bot, actor_location.country_code, business, business_id, org, org_id, repo, repo_id, user_agent, vendor_action, name
+  | eval user=actor
+  | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` 
+  | `github_organizations_disable_classic_branch_protection_rule_filter`'
+how_to_implement: You must ingest GitHub Organizations logs using Splunk Add-on for Github using a Personal Access Token https://docs.splunk.com/Documentation/AddOns/released/GitHub/Configureinputs .
+known_false_positives: unknown
+references:
+- https://docs.splunk.com/Documentation/AddOns/released/GitHub/Configureinputs
+- https://www.googlecloudcommunity.com/gc/Community-Blog/Monitoring-for-Suspicious-GitHub-Activity-with-Google-Security/ba-p/763610
+drilldown_searches:
+- name: View the detection results for - "$user$"
+  search: '%original_detection_search% | search  user = "$user$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: View risk events for the last 7 days for - "$user$"
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+tags:
+  analytic_story:
+  - GitHub Malicious Activity
+  asset_type: GitHub
+  confidence: 90
+  impact: 30
+  message: $user$ disabled a classic branch protection rule in repo $repo$
+  mitre_attack_id:
+  - T1562.001
+  observable:
+  - name: user
+    type: User
+    role:
+    - Victim
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  required_fields:
+  - actor
+  - actor_id
+  - actor_ip
+  - actor_is_bot
+  - actor_location.country_code
+  - business
+  - business_id
+  - org
+  - org_id
+  - repo
+  - repo_id
+  - user
+  - user_agent
+  - user_id
+  - name
+  risk_score: 27
+  security_domain: network
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/github_disable_classic_branch_protection/github.json
+    source: github
+    sourcetype: github:cloud:audit
+