Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

GitHub detections improvement #3278

Merged
merged 53 commits into from
Feb 26, 2025
Merged
Changes from 1 commit
Commits
Show all changes
53 commits
Select commit Hold shift + click to select a range
416c239
Merge pull request #3257 from nterl0k/nterl0k-t1219-rmm-update-2
patel-bhavin Jan 9, 2025
e11c55b
New GitHub Enterprise detections
Jan 15, 2025
e2ca497
Merge branch 'develop' into github_detections_improvement
P4T12ICK Jan 15, 2025
7c61973
bug fix
Jan 15, 2025
3b1b8c3
Merge branch 'github_detections_improvement' of github.com:splunk/sec…
Jan 15, 2025
701a621
Deprecated old GItHub detections
Jan 15, 2025
b729886
Deprecated old GItHub detections
Jan 15, 2025
2018be8
bug fix
Jan 15, 2025
a31b2d4
Improve detection
Jan 15, 2025
e6dae32
github detections
Jan 15, 2025
2917e24
bug fix
Jan 15, 2025
9d2be76
improvements
Jan 15, 2025
5530d76
improvements
Jan 15, 2025
616f10d
change dataset name
Jan 15, 2025
75549d2
change dataset name
Jan 15, 2025
8ed3d57
new github detections
Jan 16, 2025
56d1b1e
Merge branch 'develop' into github_detections_improvement
Jan 16, 2025
d2114c2
bug fix
Jan 16, 2025
55aefb3
new github detections
Jan 16, 2025
ae48763
bug fix
Jan 16, 2025
f488218
bug fix
Jan 16, 2025
1e203ab
new detections
Jan 16, 2025
feaaae4
improvements
Jan 16, 2025
aceab14
improvements to github detections
Jan 17, 2025
ce6a457
new github detections
Jan 17, 2025
5552843
bug fix
Jan 17, 2025
c1c4595
new detections
Jan 17, 2025
bdf5fb6
bug fix
Jan 17, 2025
647f804
new detection
Jan 17, 2025
526468a
new detection
Jan 17, 2025
421b11d
bug fix
Jan 17, 2025
c03a2dc
rename detection
Jan 17, 2025
28d7338
change
Jan 17, 2025
71efc6a
change
Jan 17, 2025
8ef62a2
new detections
Jan 20, 2025
920fc69
bug fix
Jan 20, 2025
7e119c8
Merge branch 'develop' into github_detections_improvement
Feb 6, 2025
eead81f
new detection yml schema
Feb 6, 2025
b6a28b6
Merge branch 'develop' into github_detections_improvement
Feb 6, 2025
dfe5b0a
missing status field
Feb 6, 2025
d7171f0
version bump
Feb 6, 2025
3563fdd
Merge branch 'develop' into github_detections_improvement
Feb 18, 2025
e2863ae
Merge branch 'develop' into github_detections_improvement
patel-bhavin Feb 18, 2025
a33eccd
wrong space
patel-bhavin Feb 18, 2025
3c9145b
bug fixes
Feb 21, 2025
41e69bd
Merge branch 'develop' into github_detections_improvement
Feb 21, 2025
908ae96
added threat objects
Feb 21, 2025
0c12b68
bug fix
Feb 21, 2025
77cbb83
Merge branch 'develop' into github_detections_improvement
Feb 21, 2025
78071f6
Merge branch 'develop' into github_detections_improvement
patel-bhavin Feb 24, 2025
01cfd66
Merge branch 'develop' into github_detections_improvement
patel-bhavin Feb 25, 2025
e098dc9
version bump
Feb 26, 2025
83afe32
Merge branch 'develop' into github_detections_improvement
P4T12ICK Feb 26, 2025
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
new detections
  • Loading branch information
Patrick Bareiss committed Jan 20, 2025
commit 8ef62a239b22196aebe460330df2f5b4e7687083
72 changes: 72 additions & 0 deletions detections/cloud/github_enterprise_created_self_hosted_runner.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,72 @@
name: GitHub Enterprise Created Self Hosted Runner
id: b27685a2-8826-4123-ab78-2d9d0d419ed0
version: 1
date: '2025-01-20'
author: Patrick Bareiss, Splunk
status: production
type: Anomaly
description: The following analytic identifies when a self-hosted runner is created in GitHub Enterprise.
The detection monitors GitHub Enterprise audit logs for actions related to creating new self-hosted runners at the organization or enterprise level.
his behavior warrants monitoring because self-hosted runners execute workflow jobs on customer-controlled infrastructure, which could be exploited by attackers to
execute malicious code, access sensitive data, or pivot to other systems. While self-hosted runners are a legitimate feature, their creation should be carefully
controlled as compromised runners pose significant security risks. The impact includes potential remote code execution, data exfiltration, and lateral movement
within the environment if a runner is compromised. SOC teams should investigate unexpected runner creation events to verify they are authorized and properly secured,
especially if created by unfamiliar users or in unusual contexts.
data_source:
- GitHub Enterprise Audit Logs
search: '`github_enterprise` action=enterprise.register_self_hosted_runner
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by actor, actor_id, actor_is_bot, actor_location.country_code, business, business_id, user_agent, action
| eval user=actor
| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`
| `github_enterprise_disabled_ip_allow_list_filter`'
how_to_implement: You must ingest GitHub Enterprise logs using Audit log streaming as described in this documentation https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-streaming-to-splunk using a Splunk HTTP Event Collector.
known_false_positives: unknown
references:
- https://www.googlecloudcommunity.com/gc/Community-Blog/Monitoring-for-Suspicious-GitHub-Activity-with-Google-Security/ba-p/763610
- https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-streaming-to-splunk
drilldown_searches:
- name: View the detection results for - "$user$"
search: '%original_detection_search% | search user = "$user$"'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
tags:
analytic_story:
- GitHub Malicious Activity
asset_type: GitHub
confidence: 90
impact: 30
message: $user$ created a self-hosted runner in GitHub Enterprise
mitre_attack_id:
- T1562.001
observable:
- name: user
type: User
role:
- Victim
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
required_fields:
- actor
- actor_id
- actor_is_bot
- actor_location.country_code
- business
- business_id
- user_agent
risk_score: 27
security_domain: network
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/github_created_self_hosted_runner/github.json
source: http:github
sourcetype: httpevent


72 changes: 72 additions & 0 deletions detections/cloud/github_enterprise_disabled_ip_allow_list.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,72 @@
name: GitHub Enterprise Disable IP Allow List
id: afed020e-edcd-4913-a675-cebedf81d4fb
version: 1
date: '2025-01-20'
author: Patrick Bareiss, Splunk
status: production
type: Anomaly
description: The following analytic identifies when an IP allow list is disabled in GitHub Enterprise.
The detection monitors GitHub Enterprise audit logs for actions related to disabling IP allow lists at the organization or enterprise level.
This behavior is concerning because IP allow lists are a critical security control that restricts access to GitHub Enterprise resources to only
trusted IP addresses. When disabled, it could indicate an attacker attempting to bypass access controls to gain unauthorized access from untrusted
networks. The impact includes potential exposure of sensitive code repositories and GitHub Enterprise resources to access from any IP address.
SOC teams should investigate such events, especially if they were not pre-approved changes, as they may indicate compromise of admin credentials
or malicious insider activity.
data_source:
- GitHub Enterprise Audit Logs
search: '`github_enterprise` action=ip_allow_list.disable
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by actor, actor_id, actor_is_bot, actor_location.country_code, business, business_id, user_agent, user_id, action
| eval user=actor
| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`
| `github_enterprise_disabled_ip_allow_list_filter`'
how_to_implement: You must ingest GitHub Enterprise logs using Audit log streaming as described in this documentation https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-streaming-to-splunk using a Splunk HTTP Event Collector.
known_false_positives: unknown
references:
- https://www.googlecloudcommunity.com/gc/Community-Blog/Monitoring-for-Suspicious-GitHub-Activity-with-Google-Security/ba-p/763610
- https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-streaming-to-splunk
drilldown_searches:
- name: View the detection results for - "$user$"
search: '%original_detection_search% | search user = "$user$"'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
tags:
analytic_story:
- GitHub Malicious Activity
asset_type: GitHub
confidence: 90
impact: 30
message: $user$ disabled an IP allow list in GitHub Enterprise
mitre_attack_id:
- T1562.001
observable:
- name: user
type: User
role:
- Victim
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
required_fields:
- actor
- actor_id
- actor_is_bot
- actor_location.country_code
- business
- business_id
- user_agent
risk_score: 27
security_domain: network
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/github_disable_ip_allow_list/github.json
source: http:github
sourcetype: httpevent


Loading