GitHub Pull Request from Unknown User
Description
This search looks for Pull Request from unknown user.
- Type: Anomaly
-
Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Last Updated: 2021-09-01
- Author: Patrick Bareiss, Splunk
- ID: 9d7b9100-8878-4404-914e-ca5e551a641e
Annotations
ATT&CK
Kill Chain Phase
- Delivery
NIST
- DE.AE
CIS20
- CIS 13
CVE
Search
1
2
3
4
5
6
7
8
`github` check_suite.pull_requests{}.id=*
| stats count by check_suite.head_commit.author.name repository.full_name check_suite.pull_requests{}.head.ref check_suite.head_commit.message
| rename check_suite.head_commit.author.name as user repository.full_name as repository check_suite.pull_requests{}.head.ref as ref_head check_suite.head_commit.message as commit_message
| search NOT `github_known_users`
| eval phase="code"
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `github_pull_request_from_unknown_user_filter`
Macros
The SPL above uses the following Macros:
github_pull_request_from_unknown_user_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Required fields
List of fields required to use this analytic.
- _time
- alert.id
- repository.full_name
- repository.html_url
- action
- alert.affected_package_name
- alert.affected_range
- alert.created_at
- alert.external_identifier
- alert.external_reference
- alert.fixed_in
- alert.severity
How To Implement
You must index GitHub logs. You can follow the url in reference to onboard GitHub logs.
Known False Positives
unknown
Associated Analytic Story
RBA
| Risk Score | Impact | Confidence | Message |
|---|---|---|---|
| 27.0 | 30 | 90 | Vulnerabilities found in packages used by GitHub repository $repository$ |
Reference
Test Dataset
Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
source | version: 1