GitHub Pull Request from Unknown User
Description
The following analytic detects pull requests from unknown users on GitHub. The detection is made by using a Splunk query to search for pull requests in the check_suite.pull_requests
field where the id
is not specified. Next, the analytic retrieves information such as the author's name, the repository's full name, the head reference of the pull request, and the commit message from the check_suite.head_commit
field. The analytic also includes a step to exclude known users by using the github_known_users
lookup table, which helps to filter out pull requests from known users and focus on the pull requests from unknown users. The detection is important because it locates potential malicious activity or unauthorized access since unknown users can introduce malicious code or gain unauthorized access to repositories leading to unauthorized code changes, data breaches, or other security incidents. Next steps include reviewing the author's name, the repository involved, the head reference of the pull request, and the commit message upon triage of a potential pull request from an unknown user. You must also analyze any relevant on-disk artifacts and investigate any concurrent processes to determine the source and intent of the pull request."
- Type: Anomaly
-
Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Last Updated: 2021-09-01
- Author: Patrick Bareiss, Splunk
- ID: 9d7b9100-8878-4404-914e-ca5e551a641e
Annotations
ATT&CK
Kill Chain Phase
- Delivery
NIST
- DE.AE
CIS20
- CIS 13
CVE
Search
1
2
3
4
5
6
7
8
`github` check_suite.pull_requests{}.id=*
| stats count by check_suite.head_commit.author.name repository.full_name check_suite.pull_requests{}.head.ref check_suite.head_commit.message
| rename check_suite.head_commit.author.name as user repository.full_name as repository check_suite.pull_requests{}.head.ref as ref_head check_suite.head_commit.message as commit_message
| search NOT `github_known_users`
| eval phase="code"
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `github_pull_request_from_unknown_user_filter`
Macros
The SPL above uses the following Macros:
github_pull_request_from_unknown_user_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Required fields
List of fields required to use this analytic.
- _time
- alert.id
- repository.full_name
- repository.html_url
- action
- alert.affected_package_name
- alert.affected_range
- alert.created_at
- alert.external_identifier
- alert.external_reference
- alert.fixed_in
- alert.severity
How To Implement
You must index GitHub logs. You can follow the url in reference to onboard GitHub logs.
Known False Positives
unknown
Associated Analytic Story
RBA
Risk Score | Impact | Confidence | Message |
---|---|---|---|
27.0 | 30 | 90 | Vulnerabilities found in packages used by GitHub repository $repository$ |
The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.
Reference
Test Dataset
Replay any dataset to Splunk Enterprise by using our replay.py
tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
source | version: 1