-
Notifications
You must be signed in to change notification settings - Fork 379
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Patrick Bareiss
committed
Jan 17, 2025
1 parent
aceab14
commit ce6a457
Showing
5 changed files
with
236 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
78 changes: 78 additions & 0 deletions
78
detections/cloud/github_enterprise_repository_archived.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,78 @@ | ||
| name: GitHub Enterprise Repository Archived | ||
| id: 8367cb99-bae1-4748-ae3b-0927bb381424 | ||
| version: 1 | ||
| date: '2025-01-17' | ||
| author: Patrick Bareiss, Splunk | ||
| status: production | ||
| type: Anomaly | ||
| description: The following analytic detects when a repository is archived in GitHub Enterprise. | ||
| The detection monitors GitHub Enterprise audit logs for repository archival events by tracking actor details, | ||
| repository information, and associated metadata. For a SOC, identifying repository archival is important as it could | ||
| indicate attempts to make critical code inaccessible or preparation for repository deletion. While archiving is a legitimate | ||
| feature, unauthorized archival of active repositories could signal account compromise, insider threats, or attempts to disrupt | ||
| development operations. The impact of unauthorized repository archival includes loss of active development access, disruption | ||
| to workflows and CI/CD pipelines, and potential business delays if critical repositories are affected. Additionally, archived | ||
| repositories may be targeted for subsequent deletion, potentially resulting in permanent loss of intellectual property if | ||
| proper backups are not maintained. | ||
| data_source: | ||
| - GitHub Enterprise Audit Logs | ||
| search: '`github_enterprise` action=repo.archived | ||
| | fillnull | ||
| | stats count min(_time) as firstTime max(_time) as lastTime by actor, actor_id, actor_is_bot, actor_location.country_code, business, business_id, org, org_id, repo, repo_id, user_agent, visibility, action | ||
| | eval user=actor | ||
| | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | ||
| | `github_enterprise_repository_deleted_filter`' | ||
| how_to_implement: You must ingest GitHub Enterprise logs using Audit log streaming as described in this documentation https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-streaming-to-splunk using a Splunk HTTP Event Collector. | ||
| known_false_positives: unknown | ||
| references: | ||
| - https://www.googlecloudcommunity.com/gc/Community-Blog/Monitoring-for-Suspicious-GitHub-Activity-with-Google-Security/ba-p/763610 | ||
| - https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-streaming-to-splunk | ||
| drilldown_searches: | ||
| - name: View the detection results for - "$user$" | ||
| search: '%original_detection_search% | search user = "$user$"' | ||
| earliest_offset: $info_min_time$ | ||
| latest_offset: $info_max_time$ | ||
| - name: View risk events for the last 7 days for - "$user$" | ||
| search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' | ||
| earliest_offset: $info_min_time$ | ||
| latest_offset: $info_max_time$ | ||
| tags: | ||
| analytic_story: | ||
| - GitHub Malicious Activity | ||
| asset_type: GitHub | ||
| confidence: 90 | ||
| impact: 30 | ||
| message: $user$ archived a repository in GitHub Enterprise | ||
| mitre_attack_id: | ||
| - T1485 | ||
| observable: | ||
| - name: user | ||
| type: User | ||
| role: | ||
| - Victim | ||
| product: | ||
| - Splunk Enterprise | ||
| - Splunk Enterprise Security | ||
| - Splunk Cloud | ||
| required_fields: | ||
| - actor | ||
| - actor_id | ||
| - actor_is_bot | ||
| - actor_location.country_code | ||
| - business | ||
| - business_id | ||
| - org | ||
| - org_id | ||
| - repo | ||
| - repo_id | ||
| - user_agent | ||
| risk_score: 27 | ||
| security_domain: network | ||
| tests: | ||
| - name: True Positive Test | ||
| attack_data: | ||
| - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/github_archived_repository/github.json | ||
| source: http:github | ||
| sourcetype: httpevent | ||
|
|
||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
79 changes: 79 additions & 0 deletions
79
detections/cloud/github_organizations_repository_archived.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,79 @@ | ||
| name: GitHub Organizations Repository Archived | ||
| id: 4f568a0e-896f-4d94-a2f7-fa6d82ab1f77 | ||
| version: 1 | ||
| date: '2025-01-17' | ||
| author: Patrick Bareiss, Splunk | ||
| status: production | ||
| type: Anomaly | ||
| description: The following analytic detects when a repository is archived in GitHub Organizations. | ||
| The detection monitors GitHub Organizations audit logs for repository archival events by tracking actor details, | ||
| repository information, and associated metadata. For a SOC, identifying repository archival is important as it could | ||
| indicate attempts to make critical code inaccessible or preparation for repository deletion. While archiving is a legitimate | ||
| feature, unauthorized archival of active repositories could signal account compromise, insider threats, or attempts to disrupt | ||
| development operations. The impact of unauthorized repository archival includes loss of active development access, disruption | ||
| to workflows and CI/CD pipelines, and potential business delays if critical repositories are affected. Additionally, archived | ||
| repositories may be targeted for subsequent deletion, potentially resulting in permanent loss of intellectual property if | ||
| proper backups are not maintained. | ||
| data_source: | ||
| - GitHub Organizations Audit Logs | ||
| search: '`github_organizations` vendor_action=repo.archived | ||
| | fillnull | ||
| | stats count min(_time) as firstTime max(_time) as lastTime by actor, actor_id, actor_is_bot, actor_location.country_code, business, business_id, org, org_id, repo, repo_id, user_agent, visibility, vendor_action | ||
| | eval user=actor | ||
| | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | ||
| | `github_organizations_repository_deleted_filter`' | ||
| how_to_implement: You must ingest GitHub Organizations logs using Splunk Add-on for Github using a Personal Access Token https://docs.splunk.com/Documentation/AddOns/released/GitHub/Configureinputs . | ||
| known_false_positives: unknown | ||
| references: | ||
| - https://docs.splunk.com/Documentation/AddOns/released/GitHub/Configureinputs | ||
| - https://www.googlecloudcommunity.com/gc/Community-Blog/Monitoring-for-Suspicious-GitHub-Activity-with-Google-Security/ba-p/763610 | ||
| drilldown_searches: | ||
| - name: View the detection results for - "$user$" | ||
| search: '%original_detection_search% | search user = "$user$"' | ||
| earliest_offset: $info_min_time$ | ||
| latest_offset: $info_max_time$ | ||
| - name: View risk events for the last 7 days for - "$user$" | ||
| search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' | ||
| earliest_offset: $info_min_time$ | ||
| latest_offset: $info_max_time$ | ||
| tags: | ||
| analytic_story: | ||
| - GitHub Malicious Activity | ||
| asset_type: GitHub | ||
| confidence: 90 | ||
| impact: 30 | ||
| message: $user$ archived a repository in GitHub Organizations | ||
| mitre_attack_id: | ||
| - T1485 | ||
| observable: | ||
| - name: user | ||
| type: User | ||
| role: | ||
| - Victim | ||
| product: | ||
| - Splunk Enterprise | ||
| - Splunk Enterprise Security | ||
| - Splunk Cloud | ||
| required_fields: | ||
| - actor | ||
| - actor_id | ||
| - actor_is_bot | ||
| - actor_location.country_code | ||
| - business | ||
| - business_id | ||
| - org | ||
| - org_id | ||
| - repo | ||
| - repo_id | ||
| - user | ||
| - user_agent | ||
| - user_id | ||
| risk_score: 27 | ||
| security_domain: network | ||
| tests: | ||
| - name: True Positive Test | ||
| attack_data: | ||
| - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/github_archived_repository/github.json | ||
| source: github | ||
| sourcetype: github:cloud:audit | ||
|
|
79 changes: 79 additions & 0 deletions
79
detections/cloud/github_organizations_repository_deleted.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,79 @@ | ||
| name: GitHub Organizations Repository Deleted | ||
| id: 9ff4ca95-fdae-4eea-9ffa-6d8e1c202a71 | ||
| version: 1 | ||
| date: '2025-01-17' | ||
| author: Patrick Bareiss, Splunk | ||
| status: production | ||
| type: Anomaly | ||
| description: The following analytic identifies when a repository is deleted within a GitHub organization. | ||
| The detection monitors GitHub Organizations audit logs for repository deletion events by tracking actor details, | ||
| repository information, and associated metadata. This behavior is concerning for SOC teams as malicious actors may | ||
| attempt to delete repositories to destroy source code, intellectual property, or evidence of compromise. Repository | ||
| deletion can result in permanent loss of code, documentation, and project history if proper backups are not maintained. | ||
| Additionally, unauthorized repository deletion could indicate account compromise, insider threats, or attempts to disrupt | ||
| business operations. The impact of a repository deletion attack includes loss of intellectual property, disruption to | ||
| development workflows, and potential financial losses from lost work. Early detection of unauthorized repository deletions | ||
| allows security teams to investigate potential compromises and restore from backups if needed. | ||
| data_source: | ||
| - GitHub Organizations Audit Logs | ||
| search: '`github_organizations` vendor_action=repo.destroy | ||
| | fillnull | ||
| | stats count min(_time) as firstTime max(_time) as lastTime by actor, actor_id, actor_is_bot, actor_location.country_code, business, business_id, org, org_id, repo, repo_id, user_agent, visibility, vendor_action | ||
| | eval user=actor | ||
| | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | ||
| | `github_organizations_repository_deleted_filter`' | ||
| how_to_implement: You must ingest GitHub Organizations logs using Splunk Add-on for Github using a Personal Access Token https://docs.splunk.com/Documentation/AddOns/released/GitHub/Configureinputs . | ||
| known_false_positives: unknown | ||
| references: | ||
| - https://docs.splunk.com/Documentation/AddOns/released/GitHub/Configureinputs | ||
| - https://www.googlecloudcommunity.com/gc/Community-Blog/Monitoring-for-Suspicious-GitHub-Activity-with-Google-Security/ba-p/763610 | ||
| drilldown_searches: | ||
| - name: View the detection results for - "$user$" | ||
| search: '%original_detection_search% | search user = "$user$"' | ||
| earliest_offset: $info_min_time$ | ||
| latest_offset: $info_max_time$ | ||
| - name: View risk events for the last 7 days for - "$user$" | ||
| search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' | ||
| earliest_offset: $info_min_time$ | ||
| latest_offset: $info_max_time$ | ||
| tags: | ||
| analytic_story: | ||
| - GitHub Malicious Activity | ||
| asset_type: GitHub | ||
| confidence: 90 | ||
| impact: 30 | ||
| message: $user$ deleted a repository in GitHub Organizations | ||
| mitre_attack_id: | ||
| - T1485 | ||
| observable: | ||
| - name: user | ||
| type: User | ||
| role: | ||
| - Victim | ||
| product: | ||
| - Splunk Enterprise | ||
| - Splunk Enterprise Security | ||
| - Splunk Cloud | ||
| required_fields: | ||
| - actor | ||
| - actor_id | ||
| - actor_is_bot | ||
| - actor_location.country_code | ||
| - business | ||
| - business_id | ||
| - org | ||
| - org_id | ||
| - repo | ||
| - repo_id | ||
| - user | ||
| - user_agent | ||
| - user_id | ||
| risk_score: 27 | ||
| security_domain: network | ||
| tests: | ||
| - name: True Positive Test | ||
| attack_data: | ||
| - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/github_delete_repository/github.json | ||
| source: github | ||
| sourcetype: github:cloud:audit | ||
|
|