Try in Splunk Security Cloud

Description

This search looks for Dependabot Alerts in Github logs.

  • Type: Anomaly
  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud, Dev Sec Ops Analytics
  • Datamodel:
  • Last Updated: 2021-09-01
  • Author: Patrick Bareiss, Splunk
  • ID: 05032b04-4469-4034-9df7-05f607d75cba

ATT&CK

ID Technique Tactic
T1195.001 Compromise Software Dependencies and Development Tools Initial Access
T1195 Supply Chain Compromise Initial Access
`github` alert.id=* action=create 
| rename repository.full_name as repository, repository.html_url as repository_url sender.login as user 
| stats min(_time) as firstTime max(_time) as lastTime by action alert.affected_package_name alert.affected_range alert.created_at alert.external_identifier alert.external_reference alert.fixed_in alert.severity repository repository_url user 
| eval phase="code" 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `github_dependabot_alert_filter`

Associated Analytic Story

How To Implement

You must index GitHub logs. You can follow the url in reference to onboard GitHub logs.

Required field

  • _time
  • alert.id
  • repository.full_name
  • repository.html_url
  • action
  • alert.affected_package_name
  • alert.affected_range
  • alert.created_at
  • alert.external_identifier
  • alert.external_reference
  • alert.fixed_in
  • alert.severity

Kill Chain Phase

  • Actions on Objectives

Known False Positives

unknown

RBA

Risk Score Impact Confidence Message
27.0 30 90 Vulnerabilities found in packages used by GitHub repository $repository$

Reference

Test Dataset

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

source | version: 1