Try in Splunk Security Cloud

Description

This search looks for disable security step in CircleCI pipeline.

  • Type: Anomaly
  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud

  • Last Updated: 2021-09-01
  • Author: Patrick Bareiss, Splunk
  • ID: 72cb9de9-e98b-4ac9-80b2-5331bba6ea97

Annotations

ATT&CK
ID Technique Tactic
T1554 Compromise Client Software Binary Persistence
Kill Chain Phase
  • Actions on Objectives
NIST
  • PR.DS
  • PR.AC
  • DE.CM
CIS20
  • CIS 13
CVE
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
`circleci` 
| rename workflows.job_id AS job_id 
| join job_id [ 
| search `circleci` 
| stats values(name) as step_names count by job_id job_name ] 
| stats count by step_names job_id job_name vcs.committer_name vcs.subject vcs.url owners{} 
| rename vcs.* as * , owners{} as user 
| lookup mandatory_step_for_job job_name OUTPUTNEW step_name AS mandatory_step 
| search mandatory_step=* 
| eval mandatory_step_executed=if(like(step_names, "%".mandatory_step."%"), 1, 0) 
| where mandatory_step_executed=0 
| rex field=url "(?<repository>[^\/]*\/[^\/]*)$" 
| eval phase="build"  
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `circle_ci_disable_security_step_filter`

Macros

The SPL above uses the following Macros:

Note that circle_ci_disable_security_step_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Lookups

The SPL above uses the following Lookups:

Required field

  • _times

How To Implement

You must index CircleCI logs.

Known False Positives

unknown

Associated Analytic story

RBA

Risk Score Impact Confidence Message
72.0 80 90 disable security step $mandatory_step$ in job $job_name$ from user $user$

Reference

Test Dataset

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

source | version: 1