GitHub Dependabot Alert
Description
This search looks for Dependabot Alerts in Github logs.
- Type: Anomaly
-
Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Last Updated: 2021-09-01
- Author: Patrick Bareiss, Splunk
- ID: 05032b04-4469-4034-9df7-05f607d75cba
Annotations
ATT&CK
Kill Chain Phase
- Delivery
NIST
- DE.AE
CIS20
- CIS 13
CVE
Search
1
2
3
4
5
6
7
`github` alert.id=* action=create
| rename repository.full_name as repository, repository.html_url as repository_url sender.login as user
| stats min(_time) as firstTime max(_time) as lastTime by action alert.affected_package_name alert.affected_range alert.created_at alert.external_identifier alert.external_reference alert.fixed_in alert.severity repository repository_url user
| eval phase="code"
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `github_dependabot_alert_filter`
Macros
The SPL above uses the following Macros:
github_dependabot_alert_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Required fields
List of fields required to use this analytic.
- _time
- alert.id
- repository.full_name
- repository.html_url
- action
- alert.affected_package_name
- alert.affected_range
- alert.created_at
- alert.external_identifier
- alert.external_reference
- alert.fixed_in
- alert.severity
How To Implement
You must index GitHub logs. You can follow the url in reference to onboard GitHub logs.
Known False Positives
unknown
Associated Analytic Story
RBA
| Risk Score | Impact | Confidence | Message |
|---|---|---|---|
| 27.0 | 30 | 90 | Vulnerabilities found in packages used by GitHub repository $repository$ |
Reference
Test Dataset
Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
source | version: 1