GitHub detections improvement #3278
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,32 @@ | ||
| name: GitHub Enterprise Audit Logs | ||
| id: 8a4d656f-8801-4a2c-ae10-553d2696a59f | ||
| version: 1 | ||
| date: '2025-01-15' | ||
| author: Patrick Bareiss, Splunk | ||
| description: Data source object for GitHub Enterprise logs using Audit log streaming as described in this documentation https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-streaming-to-splunk using a Splunk HTTP Event Collector. | ||
| source: http:github | ||
| sourcetype: httpevent | ||
| supported_TA: | ||
| - name: Splunk Add-on for Github | ||
| url: https://splunkbase.splunk.com/app/6254 | ||
| version: 3.1.0 | ||
| fields: | ||
| - _document_id | ||
| - action | ||
| - actor | ||
| - actor_id | ||
| - actor_is_bot | ||
| - business | ||
| - business_id | ||
| - created_at | ||
| - operation_type | ||
| - org | ||
| - org_id | ||
| - public_repo | ||
| - repo | ||
| - repo_id | ||
| - request_access_security_header | ||
| - user | ||
| - user_agent | ||
| - user_id | ||
| example_log: '{ @timestamp: 1736850926658 _document_id: fHPRFHOMZNXLxTZrk1w2IQ action: repository_vulnerability_alerts.disable actor: P4T12ICK actor_id: 8362376 actor_ip: 84.128.62.13 actor_is_bot: false actor_location: { [+] } business: pb business_id: 273781 created_at: 1736850926658 operation_type: modify org: pbtest2 org_id: 194489467 public_repo: false repo: pbtest2/pbtest5 repo_id: 916529548 request_access_security_header: null user: P4T12ICK user_agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36 user_id: 8362376 }' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,32 @@ | ||
| name: GitHub Organizations Audit Logs | ||
| id: ce520b1c-79fe-48ef-a0f9-71fbbd4837b0 | ||
| version: 1 | ||
| date: '2025-01-15' | ||
| author: Patrick Bareiss, Splunk | ||
| description: Data source object for GitHub Organizations logs using the Splunk Add-on for Github using a Personal Access Token. | ||
| source: github | ||
| sourcetype: github:cloud:audit | ||
| supported_TA: | ||
| - name: Splunk Add-on for Github | ||
| url: https://splunkbase.splunk.com/app/6254 | ||
| version: 3.1.0 | ||
| fields: | ||
| - _document_id | ||
| - action | ||
| - actor | ||
| - actor_id | ||
| - actor_is_bot | ||
| - business | ||
| - business_id | ||
| - created_at | ||
| - operation_type | ||
| - org | ||
| - org_id | ||
| - public_repo | ||
| - repo | ||
| - repo_id | ||
| - request_access_security_header | ||
| - user | ||
| - user_agent | ||
| - user_id | ||
| example_log: '{ @timestamp: 1736850926658 _document_id: fHPRFHOMZNXLxTZrk1w2IQ action: repository_vulnerability_alerts.disable actor: P4T12ICK actor_id: 8362376 actor_ip: 84.128.62.13 actor_is_bot: false actor_location: { [+] } business: pb business_id: 273781 created_at: 1736850926658 operation_type: modify org: pbtest2 org_id: 194489467 public_repo: false repo: pbtest2/pbtest5 repo_id: 916529548 request_access_security_header: null user: P4T12ICK user_agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36 user_id: 8362376 }' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,62 @@ | ||
| name: GitHub Enterprise Created Self Hosted Runner | ||
| id: b27685a2-8826-4123-ab78-2d9d0d419ed0 | ||
| version: 1 | ||
| date: '2025-01-20' | ||
| author: Patrick Bareiss, Splunk | ||
| status: production | ||
| type: Anomaly | ||
| description: The following analytic identifies when a self-hosted runner is created in GitHub Enterprise. | ||
| The detection monitors GitHub Enterprise audit logs for actions related to creating new self-hosted runners at the organization or enterprise level. | ||
| his behavior warrants monitoring because self-hosted runners execute workflow jobs on customer-controlled infrastructure, which could be exploited by attackers to | ||
| execute malicious code, access sensitive data, or pivot to other systems. While self-hosted runners are a legitimate feature, their creation should be carefully | ||
| controlled as compromised runners pose significant security risks. The impact includes potential remote code execution, data exfiltration, and lateral movement | ||
| within the environment if a runner is compromised. SOC teams should investigate unexpected runner creation events to verify they are authorized and properly secured, | ||
| especially if created by unfamiliar users or in unusual contexts. | ||
| data_source: | ||
| - GitHub Enterprise Audit Logs | ||
| search: '`github_enterprise` action=enterprise.register_self_hosted_runner | ||
|
There was a problem hiding this comment. based on this action, should we update the name of the detection to GitHub Enterprise Register Self Hosted Runner |
||
| | fillnull | ||
| | stats count min(_time) as firstTime max(_time) as lastTime by actor, actor_id, actor_is_bot, actor_location.country_code, business, business_id, user_agent, action | ||
| | eval user=actor | ||
| | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | ||
| | `github_enterprise_created_self_hosted_runner_filter`' | ||
| how_to_implement: You must ingest GitHub Enterprise logs using Audit log streaming as described in this documentation https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-streaming-to-splunk using a Splunk HTTP Event Collector. | ||
| known_false_positives: unknown | ||
| references: | ||
| - https://www.googlecloudcommunity.com/gc/Community-Blog/Monitoring-for-Suspicious-GitHub-Activity-with-Google-Security/ba-p/763610 | ||
| - https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-streaming-to-splunk | ||
| drilldown_searches: | ||
| - name: View the detection results for - "$user$" | ||
| search: '%original_detection_search% | search user = "$user$"' | ||
| earliest_offset: $info_min_time$ | ||
| latest_offset: $info_max_time$ | ||
| - name: View risk events for the last 7 days for - "$user$" | ||
| search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' | ||
| earliest_offset: $info_min_time$ | ||
| latest_offset: $info_max_time$ | ||
| rba: | ||
| message: $user$ created a self-hosted runner in GitHub Enterprise | ||
| risk_objects: | ||
| - field: user | ||
| type: user | ||
| score: 25 | ||
| threat_objects: [] | ||
|
There was a problem hiding this comment. @P4T12ICK : Can we attribute something from the SPL to a threat object? maybe user_agent ? This could be applicable for all detections |
||
| tags: | ||
| analytic_story: | ||
| - GitHub Malicious Activity | ||
| asset_type: GitHub | ||
| mitre_attack_id: | ||
| - T1562.001 | ||
| product: | ||
| - Splunk Enterprise | ||
| - Splunk Enterprise Security | ||
| - Splunk Cloud | ||
| security_domain: network | ||
| tests: | ||
| - name: True Positive Test | ||
| attack_data: | ||
| - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/github_created_self_hosted_runner/github.json | ||
| source: http:github | ||
| sourcetype: httpevent | ||
|
|
||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,63 @@ | ||
| name: GitHub Enterprise Delete Branch Ruleset | ||
| id: 6169ea23-3719-439f-957a-0ea5174b70e2 | ||
| version: 1 | ||
| date: '2025-01-17' | ||
| author: Patrick Bareiss, Splunk | ||
| status: production | ||
| type: Anomaly | ||
| description: The following analytic detects when branch rules are deleted in GitHub Enterprise. | ||
| The detection monitors GitHub Enterprise audit logs for branch rule deletion events by tracking actor details, repository information, | ||
| and associated metadata. For a SOC, identifying deleted branch rules is critical as it could indicate attempts to bypass code review requirements | ||
| and security controls. Branch deletion rules are essential security controls that enforce code review, prevent force pushes, and maintain code quality. | ||
| Disabling these protections could allow malicious actors to directly push unauthorized code changes or backdoors to protected branches. The impact of | ||
| disabled branch protection includes potential code tampering, bypass of security reviews, introduction of vulnerabilities or malicious code, and compromise | ||
| of software supply chain integrity. This activity could be part of a larger attack chain where an adversary first disables security controls before attempting | ||
| to inject malicious code. | ||
| data_source: | ||
| - GitHub Enterprise Audit Logs | ||
| search: '`github_enterprise` action=repository_ruleset.destroy | ||
| | fillnull | ||
| | stats count min(_time) as firstTime max(_time) as lastTime by actor, actor_id, actor_ip, actor_is_bot, actor_location.country_code, business, business_id, org, org_id, repo, repo_id, user_agent, action, ruleset_name | ||
| | eval user=actor | ||
| | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | ||
| | `github_enterprise_delete_branch_ruleset_filter`' | ||
| how_to_implement: You must ingest GitHub Enterprise logs using Audit log streaming as described in this documentation https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-streaming-to-splunk using a Splunk HTTP Event Collector. | ||
| known_false_positives: unknown | ||
| references: | ||
| - https://www.googlecloudcommunity.com/gc/Community-Blog/Monitoring-for-Suspicious-GitHub-Activity-with-Google-Security/ba-p/763610 | ||
| - https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-streaming-to-splunk | ||
| drilldown_searches: | ||
| - name: View the detection results for - "$user$" | ||
| search: '%original_detection_search% | search user = "$user$"' | ||
| earliest_offset: $info_min_time$ | ||
| latest_offset: $info_max_time$ | ||
| - name: View risk events for the last 7 days for - "$user$" | ||
| search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' | ||
| earliest_offset: $info_min_time$ | ||
| latest_offset: $info_max_time$ | ||
| rba: | ||
| message: $user$ deleted a branch ruleset in repo $repo$ | ||
| risk_objects: | ||
| - field: user | ||
| type: user | ||
| score: 25 | ||
| threat_objects: [] | ||
| tags: | ||
| analytic_story: | ||
| - GitHub Malicious Activity | ||
| asset_type: GitHub | ||
| mitre_attack_id: | ||
| - T1562.001 | ||
| product: | ||
| - Splunk Enterprise | ||
| - Splunk Enterprise Security | ||
| - Splunk Cloud | ||
| security_domain: network | ||
| tests: | ||
| - name: True Positive Test | ||
| attack_data: | ||
| - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/github_delete_branch_ruleset/github.json | ||
| source: http:github | ||
| sourcetype: httpevent | ||
|
|
||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,61 @@ | ||
| name: GitHub Enterprise Disable 2FA Requirement | ||
| id: 5a773226-ebd7-480c-a819-fccacfeddcd9 | ||
| version: 1 | ||
| date: '2025-01-17' | ||
| author: Patrick Bareiss, Splunk | ||
| status: production | ||
| type: Anomaly | ||
| description: The following analytic detects when two-factor authentication (2FA) requirements are disabled in GitHub Enterprise. | ||
| The detection monitors GitHub Enterprise audit logs for 2FA requirement changes by tracking actor details, organization information, | ||
| and associated metadata. For a SOC, identifying disabled 2FA requirements is critical as it could indicate attempts to weaken | ||
| account security controls. Two-factor authentication is a fundamental security control that helps prevent unauthorized access even if | ||
| passwords are compromised. Disabling 2FA requirements could allow attackers to more easily compromise accounts through password-based attacks. | ||
| The impact of disabled 2FA includes increased risk of account takeover, potential access to sensitive code and intellectual property, and | ||
| compromise of the software supply chain. This activity could be part of a larger attack chain where an adversary first disables | ||
| security controls before attempting broader account compromises. | ||
| data_source: | ||
| - GitHub Enterprise Audit Logs | ||
| search: '`github_enterprise` action=org.disable_two_factor_requirement OR action=business.disable_two_factor_requirement | ||
| | fillnull | ||
| | stats count min(_time) as firstTime max(_time) as lastTime by actor, actor_id, actor_is_bot, actor_location.country_code, business, business_id, user_agent, action | ||
| | eval user=actor | ||
| | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | ||
| | `github_enterprise_disable_2fa_requirement_filter`' | ||
| how_to_implement: You must ingest GitHub Enterprise logs using Audit log streaming as described in this documentation https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-streaming-to-splunk using a Splunk HTTP Event Collector. | ||
| known_false_positives: unknown | ||
| references: | ||
| - https://www.googlecloudcommunity.com/gc/Community-Blog/Monitoring-for-Suspicious-GitHub-Activity-with-Google-Security/ba-p/763610 | ||
| - https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-streaming-to-splunk | ||
| drilldown_searches: | ||
| - name: View the detection results for - "$user$" | ||
| search: '%original_detection_search% | search user = "$user$"' | ||
| earliest_offset: $info_min_time$ | ||
| latest_offset: $info_max_time$ | ||
| - name: View risk events for the last 7 days for - "$user$" | ||
| search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' | ||
| earliest_offset: $info_min_time$ | ||
| latest_offset: $info_max_time$ | ||
| rba: | ||
| message: $user$ disabled 2FA requirement | ||
| risk_objects: | ||
| - field: user | ||
| type: user | ||
| score: 25 | ||
| threat_objects: [] | ||
| tags: | ||
| analytic_story: | ||
| - GitHub Malicious Activity | ||
| asset_type: GitHub | ||
| mitre_attack_id: | ||
| - T1562.001 | ||
| product: | ||
| - Splunk Enterprise | ||
| - Splunk Enterprise Security | ||
| - Splunk Cloud | ||
| security_domain: network | ||
| tests: | ||
| - name: True Positive Test | ||
| attack_data: | ||
| - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/github_disable_two_factor_requirement/github.json | ||
| source: http:github | ||
| sourcetype: httpevent |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,62 @@ | ||
| name: GitHub Enterprise Disable Audit Log Event Stream | ||
| id: 7bc111cc-7f1b-4be7-99fa-50cf8d2e7564 | ||
| version: 1 | ||
| date: '2025-01-16' | ||
| author: Patrick Bareiss, Splunk | ||
| status: production | ||
| type: Anomaly | ||
| description: The following analytic detects when a user disables audit log event streaming in GitHub Enterprise. | ||
| The detection monitors GitHub Enterprise audit logs for configuration changes that disable the audit log streaming functionality, | ||
| which is used to send audit events to security monitoring platforms. This behavior could indicate an attacker attempting to prevent | ||
| their malicious activities from being logged and detected by disabling the audit trail. For a SOC, identifying the disabling of | ||
| audit logging is critical as it may be a precursor to other attacks where adversaries want to operate undetected. The impact could | ||
| be severe as organizations lose visibility into user actions, configuration changes, and security events within their | ||
| GitHub Enterprise environment, potentially allowing attackers to perform malicious activities without detection. | ||
| This creates a significant blind spot in security monitoring and incident response capabilities. | ||
| data_source: | ||
| - GitHub Enterprise Audit Logs | ||
| search: '`github_enterprise` action=audit_log_streaming.destroy | ||
| | fillnull | ||
| | stats count min(_time) as firstTime max(_time) as lastTime by actor, actor_id, actor_ip, actor_is_bot, actor_location.country_code, business, business_id, user_agent, action | ||
| | eval user=actor | ||
| | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | ||
| | `github_enterprise_disable_audit_log_event_stream_filter`' | ||
| how_to_implement: You must ingest GitHub Enterprise logs using Audit log streaming as described in this documentation https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-streaming-to-splunk using a Splunk HTTP Event Collector. | ||
| known_false_positives: unknown | ||
| references: | ||
| - https://www.googlecloudcommunity.com/gc/Community-Blog/Monitoring-for-Suspicious-GitHub-Activity-with-Google-Security/ba-p/763610 | ||
| - https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-streaming-to-splunk | ||
| drilldown_searches: | ||
| - name: View the detection results for - "$user$" | ||
| search: '%original_detection_search% | search user = "$user$"' | ||
| earliest_offset: $info_min_time$ | ||
| latest_offset: $info_max_time$ | ||
| - name: View risk events for the last 7 days for - "$user$" | ||
| search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' | ||
| earliest_offset: $info_min_time$ | ||
| latest_offset: $info_max_time$ | ||
| rba: | ||
| message: Audit log event streaming is disabled by $user$ | ||
| risk_objects: | ||
| - field: user | ||
| type: user | ||
| score: 25 | ||
| threat_objects: [] | ||
| tags: | ||
| analytic_story: | ||
| - GitHub Malicious Activity | ||
| asset_type: GitHub | ||
| mitre_attack_id: | ||
| - T1562.008 | ||
| product: | ||
| - Splunk Enterprise | ||
| - Splunk Enterprise Security | ||
| - Splunk Cloud | ||
| security_domain: network | ||
| tests: | ||
| - name: True Positive Test | ||
| attack_data: | ||
| - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.008/github_audit_log_stream_disabled/github.json | ||
| source: http:github | ||
| sourcetype: httpevent | ||
|
|
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@P4T12ICK : This data source
GitHub Webhooksis not used by any detection, is there a reason to add this? I think better to delete it or update this for the deprecate content since the whole data source and ingesting is clearer that way