splunk
diff --git a/‎contentctl.yml‎
Lines changed: 7 additions & 1 deletion b/‎contentctl.yml‎
Lines changed: 7 additions & 1 deletion
diff --git a/‎data_sources/github_enterprise_audit_logs.yml‎
Lines changed: 32 additions & 0 deletions b/‎data_sources/github_enterprise_audit_logs.yml‎
Lines changed: 32 additions & 0 deletions
diff --git a/‎data_sources/github_organizations_audit_logs.yml‎
Lines changed: 32 additions & 0 deletions b/‎data_sources/github_organizations_audit_logs.yml‎
Lines changed: 32 additions & 0 deletions
diff --git a/‎data_sources/github.yml‎ renamed to ‎data_sources/github_webhooks.yml‎
Lines changed: 3 additions & 6 deletions b/‎data_sources/github.yml‎ renamed to ‎data_sources/github_webhooks.yml‎
Lines changed: 3 additions & 6 deletions
diff --git a/‎detections/cloud/github_enterprise_delete_branch_ruleset.yml‎
Lines changed: 66 additions & 0 deletions b/‎detections/cloud/github_enterprise_delete_branch_ruleset.yml‎
Lines changed: 66 additions & 0 deletions
diff --git a/‎detections/cloud/github_enterprise_disable_2fa_requirement.yml‎
Lines changed: 64 additions & 0 deletions b/‎detections/cloud/github_enterprise_disable_2fa_requirement.yml‎
Lines changed: 64 additions & 0 deletions
diff --git a/‎detections/cloud/github_enterprise_disable_audit_log_event_stream.yml‎
Lines changed: 65 additions & 0 deletions b/‎detections/cloud/github_enterprise_disable_audit_log_event_stream.yml‎
Lines changed: 65 additions & 0 deletions
diff --git a/‎detections/cloud/github_enterprise_disable_classic_branch_protection_rule.yml‎
Lines changed: 66 additions & 0 deletions b/‎detections/cloud/github_enterprise_disable_classic_branch_protection_rule.yml‎
Lines changed: 66 additions & 0 deletions
@@ -213,7 +213,13 @@ apps:
     version: 4.2.2
     description: PSC for MLTK
     hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/python-for-scientific-computing-for-linux-64-bit_422.tgz
-  - uid: 2882
+  - uid: 6254
+  title: Splunk Add-on for Github
+  appid: Splunk_TA_github
+  version: 3.1.0
+  description: description of app
+  hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-github_310.tgz
+- uid: 2882
     title: Splunk Add-on for AppDynamics
     appid: Splunk_TA_AppDynamics
     version: 3.0.0
 
@@ -0,0 +1,32 @@
+name: GitHub Enterprise Audit Logs
+id: 8a4d656f-8801-4a2c-ae10-553d2696a59f
+version: 1
+date: '2025-01-15'
+author: Patrick Bareiss, Splunk
+description: Data source object for GitHub Enterprise logs using Audit log streaming as described in this documentation https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-streaming-to-splunk using a Splunk HTTP Event Collector.
+source: http:github
+sourcetype: httpevent
+supported_TA: 
+- name: Splunk Add-on for Github
+  url: https://splunkbase.splunk.com/app/6254
+  version: 3.1.0
+fields:
+- _document_id
+- action
+- actor 
+- actor_id
+- actor_is_bot
+- business
+- business_id
+- created_at
+- operation_type
+- org
+- org_id
+- public_repo
+- repo
+- repo_id
+- request_access_security_header
+- user
+- user_agent
+- user_id
+example_log: '{ @timestamp: 1736850926658 _document_id: fHPRFHOMZNXLxTZrk1w2IQ action: repository_vulnerability_alerts.disable actor: P4T12ICK actor_id: 8362376 actor_ip: 84.128.62.13 actor_is_bot: false actor_location: { [+] } business: pb business_id: 273781 created_at: 1736850926658 operation_type: modify org: pbtest2 org_id: 194489467 public_repo: false repo: pbtest2/pbtest5 repo_id: 916529548 request_access_security_header: null user: P4T12ICK user_agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36 user_id: 8362376 }'
@@ -0,0 +1,32 @@
+name: GitHub Organizations Audit Logs
+id: ce520b1c-79fe-48ef-a0f9-71fbbd4837b0
+version: 1
+date: '2025-01-15'
+author: Patrick Bareiss, Splunk
+description: Data source object for GitHub Organizations logs using the Splunk Add-on for Github using a Personal Access Token.
+source: github
+sourcetype: github:cloud:audit
+supported_TA: 
+- name: Splunk Add-on for Github
+  url: https://splunkbase.splunk.com/app/6254
+  version: 3.1.0
+fields:
+- _document_id
+- action
+- actor 
+- actor_id
+- actor_is_bot
+- business
+- business_id
+- created_at
+- operation_type
+- org
+- org_id
+- public_repo
+- repo
+- repo_id
+- request_access_security_header
+- user
+- user_agent
+- user_id
+example_log: '{ @timestamp: 1736850926658 _document_id: fHPRFHOMZNXLxTZrk1w2IQ action: repository_vulnerability_alerts.disable actor: P4T12ICK actor_id: 8362376 actor_ip: 84.128.62.13 actor_is_bot: false actor_location: { [+] } business: pb business_id: 273781 created_at: 1736850926658 operation_type: modify org: pbtest2 org_id: 194489467 public_repo: false repo: pbtest2/pbtest5 repo_id: 916529548 request_access_security_header: null user: P4T12ICK user_agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36 user_id: 8362376 }'
@@ -1,15 +1,12 @@
-name: GitHub
+name: GitHub Webhooks
 id: 88aa4632-3c3e-43f6-a00a-998d71f558e3
 version: 1
 date: '2024-07-18'
 author: Patrick Bareiss, Splunk
-description: Data source object for GitHub
+description: Data source object for GitHub Webooks 
 source: github
 sourcetype: aws:firehose:json
-supported_TA:
-- name: Splunk Add-on for Github
-  url: https://splunkbase.splunk.com/app/6254
-  version: 3.1.0
+supported_TA: []
 fields:
 - _time
 - action
 
@@ -0,0 +1,66 @@
+name: GitHub Enterprise Delete Branch Ruleset
+id: 6169ea23-3719-439f-957a-0ea5174b70e2
+version: 1
+date: '2025-01-17'
+author: Patrick Bareiss, Splunk
+status: production
+type: Anomaly
+description: The following analytic detects when branch rules are deleted in GitHub Enterprise. 
+  The detection monitors GitHub Enterprise audit logs for branch rule deletion events by tracking actor details, repository information, 
+  and associated metadata. For a SOC, identifying deleted branch rules is critical as it could indicate attempts to bypass code review requirements 
+  and security controls. Branch deletion rules are essential security controls that enforce code review, prevent force pushes, and maintain code quality. 
+  Disabling these protections could allow malicious actors to directly push unauthorized code changes or backdoors to protected branches. The impact of 
+  disabled branch protection includes potential code tampering, bypass of security reviews, introduction of vulnerabilities or malicious code, and compromise 
+  of software supply chain integrity. This activity could be part of a larger attack chain where an adversary first disables security controls before attempting 
+  to inject malicious code.
+data_source:
+- GitHub Enterprise Audit Logs
+search: '`github_enterprise` action=repository_ruleset.destroy
+  | fillnull
+  | stats count min(_time) as firstTime max(_time) as lastTime by actor, actor_id, actor_ip, actor_is_bot, actor_location.country_code, business, business_id, org, org_id, repo, repo_id, user_agent, action, ruleset_name
+  | eval user=actor
+  | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` 
+  | `github_enterprise_delete_branch_ruleset_filter`'
+how_to_implement: You must ingest GitHub Enterprise logs using Audit log streaming as described in this documentation https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-streaming-to-splunk using a Splunk HTTP Event Collector.
+known_false_positives: unknown
+references:
+- https://www.googlecloudcommunity.com/gc/Community-Blog/Monitoring-for-Suspicious-GitHub-Activity-with-Google-Security/ba-p/763610
+- https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-streaming-to-splunk
+drilldown_searches:
+- name: View the detection results for - "$user$"
+  search: '%original_detection_search% | search  user = "$user$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: View risk events for the last 7 days for - "$user$"
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+rba:
+  message: $user$ deleted a branch ruleset in repo $repo$
+  risk_objects:
+  - field: user
+    type: user
+    score: 25
+  threat_objects:
+  - field: user_agent
+    type: http_user_agent
+tags:
+  analytic_story:
+  - GitHub Malicious Activity
+  asset_type: GitHub
+  mitre_attack_id:
+  - T1562.001
+  - T1195
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  security_domain: network
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/github_delete_branch_ruleset/github.json
+    source: http:github
+    sourcetype: httpevent
+
+
@@ -0,0 +1,64 @@
+name: GitHub Enterprise Disable 2FA Requirement
+id: 5a773226-ebd7-480c-a819-fccacfeddcd9
+version: 1
+date: '2025-01-17'
+author: Patrick Bareiss, Splunk
+status: production
+type: Anomaly
+description: The following analytic detects when two-factor authentication (2FA) requirements are disabled in GitHub Enterprise. 
+  The detection monitors GitHub Enterprise audit logs for 2FA requirement changes by tracking actor details, organization information, 
+  and associated metadata. For a SOC, identifying disabled 2FA requirements is critical as it could indicate attempts to weaken 
+  account security controls. Two-factor authentication is a fundamental security control that helps prevent unauthorized access even if 
+  passwords are compromised. Disabling 2FA requirements could allow attackers to more easily compromise accounts through password-based attacks. 
+  The impact of disabled 2FA includes increased risk of account takeover, potential access to sensitive code and intellectual property, and 
+  compromise of the software supply chain. This activity could be part of a larger attack chain where an adversary first disables 
+  security controls before attempting broader account compromises.
+data_source:
+- GitHub Enterprise Audit Logs
+search: '`github_enterprise` action=org.disable_two_factor_requirement OR action=business.disable_two_factor_requirement
+  | fillnull
+  | stats count min(_time) as firstTime max(_time) as lastTime by actor, actor_id, actor_is_bot, actor_location.country_code, business, business_id, user_agent, action
+  | eval user=actor
+  | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` 
+  | `github_enterprise_disable_2fa_requirement_filter`'
+how_to_implement: You must ingest GitHub Enterprise logs using Audit log streaming as described in this documentation https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-streaming-to-splunk using a Splunk HTTP Event Collector.
+known_false_positives: unknown
+references:
+- https://www.googlecloudcommunity.com/gc/Community-Blog/Monitoring-for-Suspicious-GitHub-Activity-with-Google-Security/ba-p/763610
+- https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-streaming-to-splunk
+drilldown_searches:
+- name: View the detection results for - "$user$"
+  search: '%original_detection_search% | search  user = "$user$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: View risk events for the last 7 days for - "$user$"
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+rba:
+  message: $user$ disabled 2FA requirement 
+  risk_objects:
+  - field: user
+    type: user
+    score: 25
+  threat_objects:
+  - field: user_agent
+    type: http_user_agent
+tags:
+  analytic_story:
+  - GitHub Malicious Activity
+  asset_type: GitHub
+  mitre_attack_id:
+  - T1562.001
+  - T1195
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  security_domain: network
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/github_disable_two_factor_requirement/github.json
+    source: http:github
+    sourcetype: httpevent
@@ -0,0 +1,65 @@
+name: GitHub Enterprise Disable Audit Log Event Stream
+id: 7bc111cc-7f1b-4be7-99fa-50cf8d2e7564
+version: 1
+date: '2025-01-16'
+author: Patrick Bareiss, Splunk
+status: production
+type: Anomaly
+description: The following analytic detects when a user disables audit log event streaming in GitHub Enterprise. 
+  The detection monitors GitHub Enterprise audit logs for configuration changes that disable the audit log streaming functionality, 
+  which is used to send audit events to security monitoring platforms. This behavior could indicate an attacker attempting to prevent 
+  their malicious activities from being logged and detected by disabling the audit trail. For a SOC, identifying the disabling of 
+  audit logging is critical as it may be a precursor to other attacks where adversaries want to operate undetected. The impact could 
+  be severe as organizations lose visibility into user actions, configuration changes, and security events within their 
+  GitHub Enterprise environment, potentially allowing attackers to perform malicious activities without detection. 
+  This creates a significant blind spot in security monitoring and incident response capabilities.
+data_source:
+- GitHub Enterprise Audit Logs
+search: '`github_enterprise` action=audit_log_streaming.destroy
+  | fillnull
+  | stats count min(_time) as firstTime max(_time) as lastTime by actor, actor_id, actor_ip, actor_is_bot, actor_location.country_code, business, business_id, user_agent, action
+  | eval user=actor
+  | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` 
+  | `github_enterprise_disable_audit_log_event_stream_filter`'
+how_to_implement: You must ingest GitHub Enterprise logs using Audit log streaming as described in this documentation https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-streaming-to-splunk using a Splunk HTTP Event Collector.
+known_false_positives: unknown
+references:
+- https://www.googlecloudcommunity.com/gc/Community-Blog/Monitoring-for-Suspicious-GitHub-Activity-with-Google-Security/ba-p/763610
+- https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-streaming-to-splunk
+drilldown_searches:
+- name: View the detection results for - "$user$"
+  search: '%original_detection_search% | search  user = "$user$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: View risk events for the last 7 days for - "$user$"
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+rba:
+  message: Audit log event streaming is disabled by $user$
+  risk_objects:
+  - field: user
+    type: user
+    score: 25
+  threat_objects:
+  - field: user_agent
+    type: http_user_agent
+tags:
+  analytic_story:
+  - GitHub Malicious Activity
+  asset_type: GitHub
+  mitre_attack_id:
+  - T1562.008
+  - T1195
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  security_domain: network
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.008/github_audit_log_stream_disabled/github.json
+    source: http:github
+    sourcetype: httpevent
+
@@ -0,0 +1,66 @@
+name: GitHub Enterprise Disable Classic Branch Protection Rule
+id: 372176ba-450c-4abd-9b86-419bb44c1b76
+version: 1
+date: '2025-01-17'
+author: Patrick Bareiss, Splunk
+status: production
+type: Anomaly
+description: The following analytic detects when classic branch protection rules are disabled in GitHub Enterprise. 
+  The detection monitors GitHub Enterprise audit logs for branch protection removal events by tracking actor details, repository information, 
+  and associated metadata. For a SOC, identifying disabled branch protection is critical as it could indicate attempts to bypass code review requirements 
+  and security controls. Branch protection rules are essential security controls that enforce code review, prevent force pushes, and maintain code quality. 
+  Disabling these protections could allow malicious actors to directly push unauthorized code changes or backdoors to protected branches. The impact of 
+  disabled branch protection includes potential code tampering, bypass of security reviews, introduction of vulnerabilities or malicious code, and compromise 
+  of software supply chain integrity. This activity could be part of a larger attack chain where an adversary first disables security controls before attempting 
+  to inject malicious code.
+data_source:
+- GitHub Enterprise Audit Logs
+search: '`github_enterprise` action=protected_branch.destroy 
+  | fillnull
+  | stats count min(_time) as firstTime max(_time) as lastTime by actor, actor_id, actor_ip, actor_is_bot, actor_location.country_code, business, business_id, org, org_id, repo, repo_id, user_agent, action, name
+  | eval user=actor
+  | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` 
+  | `github_enterprise_disable_classic_branch_protection_rule_filter`'
+how_to_implement: You must ingest GitHub Enterprise logs using Audit log streaming as described in this documentation https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-streaming-to-splunk using a Splunk HTTP Event Collector.
+known_false_positives: unknown
+references:
+- https://www.googlecloudcommunity.com/gc/Community-Blog/Monitoring-for-Suspicious-GitHub-Activity-with-Google-Security/ba-p/763610
+- https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-streaming-to-splunk
+drilldown_searches:
+- name: View the detection results for - "$user$"
+  search: '%original_detection_search% | search  user = "$user$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: View risk events for the last 7 days for - "$user$"
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+rba:
+  message: $user$ disabled a classic branch protection rule in repo $repo$
+  risk_objects:
+  - field: user
+    type: user
+    score: 25
+  threat_objects:
+  - field: user_agent
+    type: http_user_agent
+tags:
+  analytic_story:
+  - GitHub Malicious Activity
+  asset_type: GitHub
+  mitre_attack_id:
+  - T1562.001
+  - T1195
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  security_domain: network
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/github_disable_classic_branch_protection/github.json
+    source: http:github
+    sourcetype: httpevent
+
+