Try in Splunk Security Cloud

Description

This search looks for disable security step in CircleCI pipeline.

  • Type: Anomaly
  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud, Dev Sec Ops Analytics
  • Datamodel:
  • Last Updated: 2021-09-01
  • Author: Patrick Bareiss, Splunk
  • ID: 72cb9de9-e98b-4ac9-80b2-5331bba6ea97

ATT&CK

ID Technique Tactic
T1554 Compromise Client Software Binary Persistence
`circleci` 
| rename workflows.job_id AS job_id 
| join job_id [ 
| search `circleci` 
| stats values(name) as step_names count by job_id job_name ] 
| stats count by step_names job_id job_name vcs.committer_name vcs.subject vcs.url owners{} 
| rename vcs.* as * , owners{} as user 
| lookup mandatory_step_for_job job_name OUTPUTNEW step_name AS mandatory_step 
| search mandatory_step=* 
| eval mandatory_step_executed=if(like(step_names, "%".mandatory_step."%"), 1, 0) 
| where mandatory_step_executed=0 
| rex field=url "(?<repository>[^\/]*\/[^\/]*)$" 
| eval phase="build"  
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `circle_ci_disable_security_step_filter`

Associated Analytic Story

How To Implement

You must index CircleCI logs.

Required field

  • _times

Kill Chain Phase

  • Actions on Objectives

Known False Positives

unknown

RBA

Risk Score Impact Confidence Message
72.0 80 90 disable security step $mandatory_step$ in job $job_name$ from user $user$

Reference

Test Dataset

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

source | version: 1