Try in Splunk Security Cloud


This search looks for Pull Request from unknown user.

  • Type: Anomaly
  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud, Dev Sec Ops Analytics
  • Datamodel:
  • Last Updated: 2021-09-01
  • Author: Patrick Bareiss, Splunk
  • ID: 9d7b9100-8878-4404-914e-ca5e551a641e


ID Technique Tactic
T1195.001 Compromise Software Dependencies and Development Tools Initial Access
T1195 Supply Chain Compromise Initial Access
`github` check_suite.pull_requests{}.id=* 
| stats count by repository.full_name check_suite.pull_requests{}.head.ref check_suite.head_commit.message 
| rename as user repository.full_name as repository check_suite.pull_requests{}.head.ref as ref_head check_suite.head_commit.message as commit_message 
| search NOT `github_known_users` 
| eval phase="code" 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `github_pull_request_from_unknown_user_filter`

Associated Analytic Story

How To Implement

You must index GitHub logs. You can follow the url in reference to onboard GitHub logs.

Required field

  • _time
  • repository.full_name
  • repository.html_url
  • action
  • alert.affected_package_name
  • alert.affected_range
  • alert.created_at
  • alert.external_identifier
  • alert.external_reference
  • alert.fixed_in
  • alert.severity

Kill Chain Phase

  • Actions on Objectives

Known False Positives



Risk Score Impact Confidence Message
27.0 30 90 Vulnerabilities found in packages used by GitHub repository $repository$


Test Dataset

Replay any dataset to Splunk Enterprise by using our tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

source | version: 1