This search looks for disable security job in CircleCI pipeline.
- Type: Anomaly
Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Last Updated: 2021-09-02
- Author: Patrick Bareiss, Splunk
- ID: 4a2fdd41-c578-4cd4-9ef7-980e352517f2
Kill Chain Phase
- CIS 13
1 2 3 4 5 6 7 8 9 10 11 12 `circleci` | rename vcs.committer_name as user vcs.subject as commit_message vcs.url as url workflows.* as * | stats values(job_name) as job_names by workflow_id workflow_name user commit_message url branch | lookup mandatory_job_for_workflow workflow_name OUTPUTNEW job_name AS mandatory_job | search mandatory_job=* | eval mandatory_job_executed=if(like(job_names, "%".mandatory_job."%"), 1, 0) | where mandatory_job_executed=0 | eval phase="build" | rex field=url "(?<repository>[^\/]*\/[^\/]*)$" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `circle_ci_disable_security_job_filter`
The SPL above uses the following Macros:
circle_ci_disable_security_job_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
The SPL above uses the following Lookups:
List of fields required to use this analytic.
How To Implement
You must index CircleCI logs.
Known False Positives
Associated Analytic Story
|72.0||80||90||disable security job $mandatory_job$ in workflow $workflow_name$ from user $user$|
The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.
source | version: 1