splunk · P4T12ICK · Jan 9, 2025 · Jan 15, 2025 · Jan 15, 2025 · Jan 15, 2025
@@ -206,4 +206,10 @@ apps:
   version: 4.2.2
   description: PSC for MLTK
   hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/python-for-scientific-computing-for-linux-64-bit_422.tgz
+- uid: 6254
+  title: Splunk Add-on for Github
+  appid: Splunk_TA_github
+  version: 3.1.0
+  description: description of app
+  hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-github_310.tgz
 githash: d6fac80e6d50ae06b40f91519a98489d4ce3a3fd
@@ -0,0 +1,32 @@
+name: GitHub Enterprise Audit Logs
+id: 8a4d656f-8801-4a2c-ae10-553d2696a59f
+version: 1
+date: '2025-01-15'
+author: Patrick Bareiss, Splunk
+description: Data source object for GitHub Enterprise logs using Audit log streaming as described in this documentation https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-streaming-to-splunk using a Splunk HTTP Event Collector.
+source: http:github
+sourcetype: httpevent
+supported_TA: 
+- name: Splunk Add-on for Github
+  url: https://splunkbase.splunk.com/app/6254
+  version: 3.1.0
+fields:
+- _document_id
+- action
+- actor 
+- actor_id
+- actor_is_bot
+- business
+- business_id
+- created_at
+- operation_type
+- org
+- org_id
+- public_repo
+- repo
+- repo_id
+- request_access_security_header
+- user
+- user_agent
+- user_id
+example_log: '{ @timestamp: 1736850926658 _document_id: fHPRFHOMZNXLxTZrk1w2IQ action: repository_vulnerability_alerts.disable actor: P4T12ICK actor_id: 8362376 actor_ip: 84.128.62.13 actor_is_bot: false actor_location: { [+] } business: pb business_id: 273781 created_at: 1736850926658 operation_type: modify org: pbtest2 org_id: 194489467 public_repo: false repo: pbtest2/pbtest5 repo_id: 916529548 request_access_security_header: null user: P4T12ICK user_agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36 user_id: 8362376 }'
@@ -0,0 +1,32 @@
+name: GitHub Organizations Audit Logs
+id: ce520b1c-79fe-48ef-a0f9-71fbbd4837b0
+version: 1
+date: '2025-01-15'
+author: Patrick Bareiss, Splunk
+description: Data source object for GitHub Organizations logs using the Splunk Add-on for Github using a Personal Access Token.
+source: github
+sourcetype: github:cloud:audit
+supported_TA: 
+- name: Splunk Add-on for Github
+  url: https://splunkbase.splunk.com/app/6254
+  version: 3.1.0
+fields:
+- _document_id
+- action
+- actor 
+- actor_id
+- actor_is_bot
+- business
+- business_id
+- created_at
+- operation_type
+- org
+- org_id
+- public_repo
+- repo
+- repo_id
+- request_access_security_header
+- user
+- user_agent
+- user_id
+example_log: '{ @timestamp: 1736850926658 _document_id: fHPRFHOMZNXLxTZrk1w2IQ action: repository_vulnerability_alerts.disable actor: P4T12ICK actor_id: 8362376 actor_ip: 84.128.62.13 actor_is_bot: false actor_location: { [+] } business: pb business_id: 273781 created_at: 1736850926658 operation_type: modify org: pbtest2 org_id: 194489467 public_repo: false repo: pbtest2/pbtest5 repo_id: 916529548 request_access_security_header: null user: P4T12ICK user_agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36 user_id: 8362376 }'
@@ -1,15 +1,12 @@
-name: GitHub
+name: GitHub Webhooks
 id: 88aa4632-3c3e-43f6-a00a-998d71f558e3
 version: 1
 date: '2024-07-18'
 author: Patrick Bareiss, Splunk
-description: Data source object for GitHub
+description: Data source object for GitHub Webooks 
 source: github
 sourcetype: aws:firehose:json
-supported_TA:
-- name: Splunk Add-on for Github
-  url: https://splunkbase.splunk.com/app/6254
-  version: 3.1.0
+supported_TA: []
 fields:
 - _time
 - action

@@ -0,0 +1,62 @@
+name: GitHub Enterprise Created Self Hosted Runner
+id: b27685a2-8826-4123-ab78-2d9d0d419ed0
+version: 1
+date: '2025-01-20'
+author: Patrick Bareiss, Splunk
+status: production
+type: Anomaly
+description: The following analytic identifies when a self-hosted runner is created in GitHub Enterprise. 
+  The detection monitors GitHub Enterprise audit logs for actions related to creating new self-hosted runners at the organization or enterprise level. 
+  his behavior warrants monitoring because self-hosted runners execute workflow jobs on customer-controlled infrastructure, which could be exploited by attackers to 
+  execute malicious code, access sensitive data, or pivot to other systems. While self-hosted runners are a legitimate feature, their creation should be carefully 
+  controlled as compromised runners pose significant security risks. The impact includes potential remote code execution, data exfiltration, and lateral movement 
+  within the environment if a runner is compromised. SOC teams should investigate unexpected runner creation events to verify they are authorized and properly secured, 
+  especially if created by unfamiliar users or in unusual contexts.
+data_source:
+- GitHub Enterprise Audit Logs
+search: '`github_enterprise` action=enterprise.register_self_hosted_runner
+  | fillnull
+  | stats count min(_time) as firstTime max(_time) as lastTime by actor, actor_id, actor_is_bot, actor_location.country_code, business, business_id, user_agent, action
+  | eval user=actor
+  | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` 
+  | `github_enterprise_created_self_hosted_runner_filter`'
+how_to_implement: You must ingest GitHub Enterprise logs using Audit log streaming as described in this documentation https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-streaming-to-splunk using a Splunk HTTP Event Collector.
+known_false_positives: unknown
+references:
+- https://www.googlecloudcommunity.com/gc/Community-Blog/Monitoring-for-Suspicious-GitHub-Activity-with-Google-Security/ba-p/763610
+- https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-streaming-to-splunk
+drilldown_searches:
+- name: View the detection results for - "$user$"
+  search: '%original_detection_search% | search  user = "$user$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: View risk events for the last 7 days for - "$user$"
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+rba:
+  message: $user$ created a self-hosted runner in GitHub Enterprise
+  risk_objects:
+  - field: user
+    type: user
+    score: 25
+  threat_objects: []
+tags:
+  analytic_story:
+  - GitHub Malicious Activity
+  asset_type: GitHub
+  mitre_attack_id:
+  - T1562.001
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  security_domain: network
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/github_created_self_hosted_runner/github.json
+    source: http:github
+    sourcetype: httpevent
+
+
@@ -0,0 +1,63 @@
+name: GitHub Enterprise Delete Branch Ruleset
+id: 6169ea23-3719-439f-957a-0ea5174b70e2
+version: 1
+date: '2025-01-17'
+author: Patrick Bareiss, Splunk
+status: production
+type: Anomaly
+description: The following analytic detects when branch rules are deleted in GitHub Enterprise. 
+  The detection monitors GitHub Enterprise audit logs for branch rule deletion events by tracking actor details, repository information, 
+  and associated metadata. For a SOC, identifying deleted branch rules is critical as it could indicate attempts to bypass code review requirements 
+  and security controls. Branch deletion rules are essential security controls that enforce code review, prevent force pushes, and maintain code quality. 
+  Disabling these protections could allow malicious actors to directly push unauthorized code changes or backdoors to protected branches. The impact of 
+  disabled branch protection includes potential code tampering, bypass of security reviews, introduction of vulnerabilities or malicious code, and compromise 
+  of software supply chain integrity. This activity could be part of a larger attack chain where an adversary first disables security controls before attempting 
+  to inject malicious code.
+data_source:
+- GitHub Enterprise Audit Logs
+search: '`github_enterprise` action=repository_ruleset.destroy
+  | fillnull
+  | stats count min(_time) as firstTime max(_time) as lastTime by actor, actor_id, actor_ip, actor_is_bot, actor_location.country_code, business, business_id, org, org_id, repo, repo_id, user_agent, action, ruleset_name
+  | eval user=actor
+  | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` 
+  | `github_enterprise_delete_branch_ruleset_filter`'
+how_to_implement: You must ingest GitHub Enterprise logs using Audit log streaming as described in this documentation https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-streaming-to-splunk using a Splunk HTTP Event Collector.
+known_false_positives: unknown
+references:
+- https://www.googlecloudcommunity.com/gc/Community-Blog/Monitoring-for-Suspicious-GitHub-Activity-with-Google-Security/ba-p/763610
+- https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-streaming-to-splunk
+drilldown_searches:
+- name: View the detection results for - "$user$"
+  search: '%original_detection_search% | search  user = "$user$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: View risk events for the last 7 days for - "$user$"
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+rba:
+  message: $user$ deleted a branch ruleset in repo $repo$
+  risk_objects:
+  - field: user
+    type: user
+    score: 25
+  threat_objects: []
+tags:
+  analytic_story:
+  - GitHub Malicious Activity
+  asset_type: GitHub
+  mitre_attack_id:
+  - T1562.001
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  security_domain: network
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/github_delete_branch_ruleset/github.json
+    source: http:github
+    sourcetype: httpevent
+
+
@@ -0,0 +1,61 @@
+name: GitHub Enterprise Disable 2FA Requirement
+id: 5a773226-ebd7-480c-a819-fccacfeddcd9
+version: 1
+date: '2025-01-17'
+author: Patrick Bareiss, Splunk
+status: production
+type: Anomaly
+description: The following analytic detects when two-factor authentication (2FA) requirements are disabled in GitHub Enterprise. 
+  The detection monitors GitHub Enterprise audit logs for 2FA requirement changes by tracking actor details, organization information, 
+  and associated metadata. For a SOC, identifying disabled 2FA requirements is critical as it could indicate attempts to weaken 
+  account security controls. Two-factor authentication is a fundamental security control that helps prevent unauthorized access even if 
+  passwords are compromised. Disabling 2FA requirements could allow attackers to more easily compromise accounts through password-based attacks. 
+  The impact of disabled 2FA includes increased risk of account takeover, potential access to sensitive code and intellectual property, and 
+  compromise of the software supply chain. This activity could be part of a larger attack chain where an adversary first disables 
+  security controls before attempting broader account compromises.
+data_source:
+- GitHub Enterprise Audit Logs
+search: '`github_enterprise` action=org.disable_two_factor_requirement OR action=business.disable_two_factor_requirement
+  | fillnull
+  | stats count min(_time) as firstTime max(_time) as lastTime by actor, actor_id, actor_is_bot, actor_location.country_code, business, business_id, user_agent, action
+  | eval user=actor
+  | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` 
+  | `github_enterprise_disable_2fa_requirement_filter`'
+how_to_implement: You must ingest GitHub Enterprise logs using Audit log streaming as described in this documentation https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-streaming-to-splunk using a Splunk HTTP Event Collector.
+known_false_positives: unknown
+references:
+- https://www.googlecloudcommunity.com/gc/Community-Blog/Monitoring-for-Suspicious-GitHub-Activity-with-Google-Security/ba-p/763610
+- https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-streaming-to-splunk
+drilldown_searches:
+- name: View the detection results for - "$user$"
+  search: '%original_detection_search% | search  user = "$user$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: View risk events for the last 7 days for - "$user$"
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+rba:
+  message: $user$ disabled 2FA requirement 
+  risk_objects:
+  - field: user
+    type: user
+    score: 25
+  threat_objects: []
+tags:
+  analytic_story:
+  - GitHub Malicious Activity
+  asset_type: GitHub
+  mitre_attack_id:
+  - T1562.001
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  security_domain: network
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/github_disable_two_factor_requirement/github.json
+    source: http:github
+    sourcetype: httpevent
@@ -0,0 +1,62 @@
+name: GitHub Enterprise Disable Audit Log Event Stream
+id: 7bc111cc-7f1b-4be7-99fa-50cf8d2e7564
+version: 1
+date: '2025-01-16'
+author: Patrick Bareiss, Splunk
+status: production
+type: Anomaly
+description: The following analytic detects when a user disables audit log event streaming in GitHub Enterprise. 
+  The detection monitors GitHub Enterprise audit logs for configuration changes that disable the audit log streaming functionality, 
+  which is used to send audit events to security monitoring platforms. This behavior could indicate an attacker attempting to prevent 
+  their malicious activities from being logged and detected by disabling the audit trail. For a SOC, identifying the disabling of 
+  audit logging is critical as it may be a precursor to other attacks where adversaries want to operate undetected. The impact could 
+  be severe as organizations lose visibility into user actions, configuration changes, and security events within their 
+  GitHub Enterprise environment, potentially allowing attackers to perform malicious activities without detection. 
+  This creates a significant blind spot in security monitoring and incident response capabilities.
+data_source:
+- GitHub Enterprise Audit Logs
+search: '`github_enterprise` action=audit_log_streaming.destroy
+  | fillnull
+  | stats count min(_time) as firstTime max(_time) as lastTime by actor, actor_id, actor_ip, actor_is_bot, actor_location.country_code, business, business_id, user_agent, action
+  | eval user=actor
+  | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` 
+  | `github_enterprise_disable_audit_log_event_stream_filter`'
+how_to_implement: You must ingest GitHub Enterprise logs using Audit log streaming as described in this documentation https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-streaming-to-splunk using a Splunk HTTP Event Collector.
+known_false_positives: unknown
+references:
+- https://www.googlecloudcommunity.com/gc/Community-Blog/Monitoring-for-Suspicious-GitHub-Activity-with-Google-Security/ba-p/763610
+- https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-streaming-to-splunk
+drilldown_searches:
+- name: View the detection results for - "$user$"
+  search: '%original_detection_search% | search  user = "$user$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: View risk events for the last 7 days for - "$user$"
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+rba:
+  message: Audit log event streaming is disabled by $user$
+  risk_objects:
+  - field: user
+    type: user
+    score: 25
+  threat_objects: []
+tags:
+  analytic_story:
+  - GitHub Malicious Activity
+  asset_type: GitHub
+  mitre_attack_id:
+  - T1562.008
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  security_domain: network
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.008/github_audit_log_stream_disabled/github.json
+    source: http:github
+    sourcetype: httpevent
+