github detection

P4T12ICK · P4T12ICK · commit dcbc0f95ad73 · 2021-09-01T13:56:23.000+02:00
diff --git a/detections/cloud/github_pull_request_from_unknown_user.yml b/detections/cloud/github_pull_request_from_unknown_user.yml
@@ -0,0 +1,64 @@
+name: GitHub Pull Request from Unknown User
+id: 9d7b9100-8878-4404-914e-ca5e551a641e
+version: 1
+date: '2021-09-01'
+author: Patrick Bareiss, Splunk
+type: Anomaly
+datamodel: []
+description: This search looks for Pull Request from unknown user.
+search: '`github` check_suite.pull_requests{}.id=* 
+  | stats count by check_suite.head_commit.author.name check_suite.pull_requests{}.base.repo.name 
+  check_suite.pull_requests{}.head.ref check_suite.head_commit.message 
+  | rename check_suite.head_commit.author.name as user check_suite.pull_requests{}.base.repo.name as repository 
+  check_suite.pull_requests{}.head.ref as ref_head check_suite.head_commit.message as commit_message 
+  | search NOT `github_known_users`
+  | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`
+  | `github_pull_request_from_unknown_user_filter`'
+how_to_implement: You must index GitHub logs. You can follow the url in reference
+  to onboard GitHub logs.
+known_false_positives: unknown
+references:
+- https://www.splunk.com/en_us/blog/tips-and-tricks/getting-github-data-with-webhooks.html
+tags:
+  analytic_story:
+  - Dev Sec Ops
+  asset_type: GitHub
+  cis20:
+  - CIS 13
+  confidence: 90
+  impact: 30
+  kill_chain_phases:
+  - Actions on Objectives
+  message: Vulnerabilities found in packages used by GitHub repository $repository$
+  mitre_attack_id:
+  - T1195.001
+  nist:
+  - PR.DS
+  - PR.AC
+  - DE.CM
+  observable:
+  - name: repository
+    type: System
+    role:
+    - Victim
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  - Dev Sec Ops Analytics
+  required_fields:
+  - _time
+  - alert.id
+  - repository.full_name
+  - repository.html_url
+  - action
+  - alert.affected_package_name
+  - alert.affected_range
+  - alert.created_at
+  - alert.external_identifier
+  - alert.external_reference
+  - alert.fixed_in
+  - alert.severity
+  risk_score: 27
+  security_domain: network
+  
diff --git a/macros/github_known_users.yml b/macros/github_known_users.yml
@@ -0,0 +1,3 @@
+definition: user IN (user_names_here)
+description: specify the user allowed to create PRs in Github projects.
+name: github_known_users
diff --git a/tests/cloud/github_pull_request_from_unknown_user.test.yml b/tests/cloud/github_pull_request_from_unknown_user.test.yml
@@ -0,0 +1,12 @@
+name: GitHub Pull Request from Unknown User Unit Test
+tests:
+- name: GitHub Pull Request from Unknown User
+  file: cloud/github_pull_request_from_unknown_user.yml
+  pass_condition: '| stats count | where count > 0'
+  earliest_time: '-365d'
+  latest_time: 'now'
+  attack_data:
+  - file_name: github_pull_request.json
+    data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1195.001/github_pull_request/github_pull_request.json
+    sourcetype: aws:firehose:json
+    source: github

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+definition: user IN (user_names_here)`
	`2`	`+description: specify the user allowed to create PRs in Github projects.`
	`3`	`+name: github_known_users`