Try in Splunk Security Cloud

Description

This story is focused around detecting attacks on a DevSecOps lifeccycle which consists of the phases plan, code, build, test, release, deploy, operate and monitor.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud, Dev Sec Ops Analytics
  • Datamodel:
  • Last Updated: 2021-08-18
  • Author: Patrick Bareiss, Splunk
  • ID: 0ca8c38e-631e-4b81-940c-f9c5450ce41e

Narrative

DevSecOps is a collaborative framework, which thinks about application and infrastructure security from the start. This means that security tools are part of the continuous integration and continuous deployment pipeline. In this analytics story, we focused on detections around the tools used in this framework such as GitHub as a version control system, GDrive for the documentation, CircleCI as the CI/CD pipeline, Kubernetes as the container execution engine and multiple security tools such as Semgrep and Kube-Hunter.

Detections

Name Technique Type
AWS ECR Container Scanning Findings High Malicious Image, User Execution TTP
AWS ECR Container Scanning Findings Low Informational Unknown Malicious Image, User Execution Hunting
AWS ECR Container Scanning Findings Medium Malicious Image, User Execution Anomaly
AWS ECR Container Upload Outside Business Hours Malicious Image, User Execution Anomaly
AWS ECR Container Upload Unknown User Malicious Image, User Execution Anomaly
Circle CI Disable Security Job Compromise Client Software Binary Anomaly
Circle CI Disable Security Step Compromise Client Software Binary Anomaly
Correlation by Repository and Risk Malicious Image, User Execution Correlation
Correlation by User and Risk Malicious Image, User Execution Correlation
GSuite Email Suspicious Attachment Spearphishing Attachment, Phishing Anomaly
GitHub Dependabot Alert Compromise Software Dependencies and Development Tools, Supply Chain Compromise Anomaly
GitHub Pull Request from Unknown User Compromise Software Dependencies and Development Tools, Supply Chain Compromise Anomaly
Github Commit Changes In Master Trusted Relationship Anomaly
Github Commit In Develop Trusted Relationship Anomaly
Gsuite Drive Share In External Email Exfiltration to Cloud Storage, Exfiltration Over Web Service Anomaly
Gsuite Email Suspicious Subject With Attachment Spearphishing Attachment, Phishing Anomaly
Gsuite Email With Known Abuse Web Service Link Spearphishing Attachment, Phishing Anomaly
Gsuite Outbound Email With Attachment To External Domain Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol, Exfiltration Over Alternative Protocol Anomaly
Gsuite Suspicious Shared File Name Spearphishing Attachment, Phishing Anomaly
Kubernetes Nginx Ingress LFI Exploitation for Credential Access TTP
Kubernetes Nginx Ingress RFI Exploitation for Credential Access TTP
Kubernetes Scanner Image Pulling Cloud Service Discovery TTP

Reference

source | version: 1