Try in Splunk Security Cloud
Description
This story is focused around detecting attacks on a DevSecOps lifeccycle which consists of the phases plan, code, build, test, release, deploy, operate and monitor.
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel: Risk
- Last Updated: 2021-08-18
- Author: Patrick Bareiss, Splunk
- ID: 0ca8c38e-631e-4b81-940c-f9c5450ce41e
Narrative
DevSecOps is a collaborative framework, which thinks about application and infrastructure security from the start. This means that security tools are part of the continuous integration and continuous deployment pipeline. In this analytics story, we focused on detections around the tools used in this framework such as GitHub as a version control system, GDrive for the documentation, CircleCI as the CI/CD pipeline, Kubernetes as the container execution engine and multiple security tools such as Semgrep and Kube-Hunter.
Detections
Name |
Technique |
Type |
ASL AWS ECR Container Upload Outside Business Hours |
Malicious Image, User Execution |
Anomaly |
ASL AWS ECR Container Upload Unknown User |
Malicious Image, User Execution |
Anomaly |
AWS ECR Container Scanning Findings High |
Malicious Image, User Execution |
TTP |
AWS ECR Container Scanning Findings Low Informational Unknown |
Malicious Image, User Execution |
Anomaly |
AWS ECR Container Scanning Findings Medium |
Malicious Image, User Execution |
Anomaly |
AWS ECR Container Upload Outside Business Hours |
Malicious Image, User Execution |
Anomaly |
AWS ECR Container Upload Unknown User |
Malicious Image, User Execution |
Anomaly |
Circle CI Disable Security Job |
Compromise Host Software Binary |
Anomaly |
Circle CI Disable Security Step |
Compromise Host Software Binary |
Anomaly |
Correlation by Repository and Risk |
Malicious Image, User Execution |
Correlation |
Correlation by User and Risk |
Malicious Image, User Execution |
Correlation |
GSuite Email Suspicious Attachment |
Spearphishing Attachment, Phishing |
Anomaly |
GitHub Actions Disable Security Workflow |
Compromise Software Supply Chain, Supply Chain Compromise |
Anomaly |
GitHub Dependabot Alert |
Compromise Software Dependencies and Development Tools, Supply Chain Compromise |
Anomaly |
GitHub Pull Request from Unknown User |
Compromise Software Dependencies and Development Tools, Supply Chain Compromise |
Anomaly |
Github Commit Changes In Master |
Trusted Relationship |
Anomaly |
Github Commit In Develop |
Trusted Relationship |
Anomaly |
Gsuite Drive Share In External Email |
Exfiltration to Cloud Storage, Exfiltration Over Web Service |
Anomaly |
Gsuite Email Suspicious Subject With Attachment |
Spearphishing Attachment, Phishing |
Anomaly |
Gsuite Email With Known Abuse Web Service Link |
Spearphishing Attachment, Phishing |
Anomaly |
Gsuite Outbound Email With Attachment To External Domain |
Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol |
Hunting |
Gsuite Suspicious Shared File Name |
Spearphishing Attachment, Phishing |
Anomaly |
Kubernetes Nginx Ingress LFI |
Exploitation for Credential Access |
TTP |
Kubernetes Nginx Ingress RFI |
Exploitation for Credential Access |
TTP |
Kubernetes Scanner Image Pulling |
Cloud Service Discovery |
TTP |
Risk Rule for Dev Sec Ops by Repository |
Malicious Image, User Execution |
Correlation |
Reference
source | version: 1