Circle CI Disable Security Job
Description
This search looks for disable security job in CircleCI pipeline.
- Type: Anomaly
-
Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Last Updated: 2021-09-02
- Author: Patrick Bareiss, Splunk
- ID: 4a2fdd41-c578-4cd4-9ef7-980e352517f2
Annotations
Kill Chain Phase
- Installation
NIST
- DE.AE
CIS20
- CIS 13
CVE
Search
1
2
3
4
5
6
7
8
9
10
11
12
`circleci`
| rename vcs.committer_name as user vcs.subject as commit_message vcs.url as url workflows.* as *
| stats values(job_name) as job_names by workflow_id workflow_name user commit_message url branch
| lookup mandatory_job_for_workflow workflow_name OUTPUTNEW job_name AS mandatory_job
| search mandatory_job=*
| eval mandatory_job_executed=if(like(job_names, "%".mandatory_job."%"), 1, 0)
| where mandatory_job_executed=0
| eval phase="build"
| rex field=url "(?<repository>[^\/]*\/[^\/]*)$"
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `circle_ci_disable_security_job_filter`
Macros
The SPL above uses the following Macros:
circle_ci_disable_security_job_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Lookups
The SPL above uses the following Lookups:
Required fields
List of fields required to use this analytic.
- _times
How To Implement
You must index CircleCI logs.
Known False Positives
unknown
Associated Analytic Story
RBA
| Risk Score | Impact | Confidence | Message |
|---|---|---|---|
| 72.0 | 80 | 90 | disable security job $mandatory_job$ in workflow $workflow_name$ from user $user$ |
Reference
Test Dataset
Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
source | version: 1