Try in Splunk Security Cloud

Description

This search looks for Pull Request from unknown user.

  • Type: Anomaly
  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud, Dev Sec Ops Analytics
  • Datamodel:
  • Last Updated: 2021-09-01
  • Author: Patrick Bareiss, Splunk
  • ID: 9d7b9100-8878-4404-914e-ca5e551a641e

ATT&CK

ID Technique Tactic
T1195.001 Compromise Software Dependencies and Development Tools Initial Access
T1195 Supply Chain Compromise Initial Access
`github` check_suite.pull_requests{}.id=* 
| stats count by check_suite.head_commit.author.name repository.full_name check_suite.pull_requests{}.head.ref check_suite.head_commit.message 
| rename check_suite.head_commit.author.name as user repository.full_name as repository check_suite.pull_requests{}.head.ref as ref_head check_suite.head_commit.message as commit_message 
| search NOT `github_known_users` 
| eval phase="code" 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `github_pull_request_from_unknown_user_filter`

Associated Analytic Story

How To Implement

You must index GitHub logs. You can follow the url in reference to onboard GitHub logs.

Required field

  • _time
  • alert.id
  • repository.full_name
  • repository.html_url
  • action
  • alert.affected_package_name
  • alert.affected_range
  • alert.created_at
  • alert.external_identifier
  • alert.external_reference
  • alert.fixed_in
  • alert.severity

Kill Chain Phase

  • Actions on Objectives

Known False Positives

unknown

RBA

Risk Score Impact Confidence Message
27.0 30 90 Vulnerabilities found in packages used by GitHub repository $repository$

Reference

Test Dataset

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

source | version: 1