GitHub Dependabot Alert

Try in Splunk Security Cloud

Description

The following analytic is made by first searching for logs that contain the action "create" and renames certain fields for easier analysis. Then, this analytic uses the "stats" command to calculate the first and last occurrence of the alert based on the timestamp. The fields included in the output are the action, affected package name, affected range, created date, external identifier, external reference, fixed version, severity, repository, repository URL, and user. The "phase" field is set to "code" to indicate that the alert pertains to code-related issues. The detection is important because dependabot Alerts can indicate vulnerabilities in the codebase that can be exploited by attackers. Detecting and investigating these alerts can help a SOC to proactively address security risks and prevent potential breaches or unauthorized access to sensitive information. False positives might occur since there are legitimate actions that trigger the "create" action or if other factors exist that can generate similar log entries. Next steps include reviewing the details of the alert, such as the affected package, severity, and fixed version to determine the appropriate response and mitigation steps.

• Type: Anomaly

• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud

• Last Updated: 2021-09-01
• Author: Patrick Bareiss, Splunk
• ID: 05032b04-4469-4034-9df7-05f607d75cba

Annotations

ATT&CK

ATT&CK

ID	Technique	Tactic
T1195.001	Compromise Software Dependencies and Development Tools	Initial Access

T1195

Supply Chain Compromise

Initial Access

Kill Chain Phase

• Delivery

NIST

• DE.AE

CIS20

• CIS 13

CVE

Search

`github` alert.id=* action=create 
| rename repository.full_name as repository, repository.html_url as repository_url sender.login as user 
| stats min(_time) as firstTime max(_time) as lastTime by action alert.affected_package_name alert.affected_range alert.created_at alert.external_identifier alert.external_reference alert.fixed_in alert.severity repository repository_url user 
| eval phase="code" 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `github_dependabot_alert_filter`

Macros

The SPL above uses the following Macros:

• github
• security_content_ctime

github_dependabot_alert_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Required fields

List of fields required to use this analytic.

• _time
• alert.id
• repository.full_name
• repository.html_url
• action
• alert.affected_package_name
• alert.affected_range
• alert.created_at
• alert.external_identifier
• alert.external_reference
• alert.fixed_in
• alert.severity

How To Implement

You must index GitHub logs. You can follow the url in reference to onboard GitHub logs.

Known False Positives

unknown

Associated Analytic Story

• Dev Sec Ops

RBA

Risk Score	Impact	Confidence	Message
27.0	30	90	Vulnerabilities found in packages used by GitHub repository $repository$

The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.

Reference

• https://www.splunk.com/en_us/blog/tips-and-tricks/getting-github-data-with-webhooks.html

Test Dataset

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

source | version: 1