GitHub Pull Request from Unknown User

Try in Splunk Security Cloud

Description

The following analytic detects pull requests from unknown users on GitHub. The detection is made by using a Splunk query to search for pull requests in the check_suite.pull_requests field where the id is not specified. Next, the analytic retrieves information such as the author's name, the repository's full name, the head reference of the pull request, and the commit message from the check_suite.head_commit field. The analytic also includes a step to exclude known users by using the github_known_users lookup table, which helps to filter out pull requests from known users and focus on the pull requests from unknown users. The detection is important because it locates potential malicious activity or unauthorized access since unknown users can introduce malicious code or gain unauthorized access to repositories leading to unauthorized code changes, data breaches, or other security incidents. Next steps include reviewing the author's name, the repository involved, the head reference of the pull request, and the commit message upon triage of a potential pull request from an unknown user. You must also analyze any relevant on-disk artifacts and investigate any concurrent processes to determine the source and intent of the pull request."

• Type: Anomaly

• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud

• Last Updated: 2021-09-01
• Author: Patrick Bareiss, Splunk
• ID: 9d7b9100-8878-4404-914e-ca5e551a641e

Annotations

ATT&CK

ATT&CK

ID	Technique	Tactic
T1195.001	Compromise Software Dependencies and Development Tools	Initial Access

T1195

Supply Chain Compromise

Initial Access

Kill Chain Phase

• Delivery

NIST

• DE.AE

CIS20

• CIS 13

CVE

Search

`github` check_suite.pull_requests{}.id=* 
| stats count by check_suite.head_commit.author.name repository.full_name check_suite.pull_requests{}.head.ref check_suite.head_commit.message 
| rename check_suite.head_commit.author.name as user repository.full_name as repository check_suite.pull_requests{}.head.ref as ref_head check_suite.head_commit.message as commit_message 
| search NOT `github_known_users` 
| eval phase="code" 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `github_pull_request_from_unknown_user_filter`

Macros

The SPL above uses the following Macros:

• github
• github_known_users
• security_content_ctime

github_pull_request_from_unknown_user_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Required fields

List of fields required to use this analytic.

• _time
• alert.id
• repository.full_name
• repository.html_url
• action
• alert.affected_package_name
• alert.affected_range
• alert.created_at
• alert.external_identifier
• alert.external_reference
• alert.fixed_in
• alert.severity

How To Implement

You must index GitHub logs. You can follow the url in reference to onboard GitHub logs.

Known False Positives

unknown

Associated Analytic Story

• Dev Sec Ops

RBA

Risk Score	Impact	Confidence	Message
27.0	30	90	Vulnerabilities found in packages used by GitHub repository $repository$

The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.

Reference

• https://www.splunk.com/en_us/blog/tips-and-tricks/getting-github-data-with-webhooks.html

Test Dataset

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

source | version: 1