GitHub Organizations Disable Dependabot

Name:GitHub Organizations Disable Dependabot
id:69078d8c-0de6-45de-bb00-14e78e042fd6
version:1
date:2025-01-14
author:Patrick Bareiss, Splunk
status:production
type:Anomaly
Description:The following analytic detects when a user disables Dependabot security features within a GitHub repository. Dependabot helps automatically identify and fix security vulnerabilities in dependencies. The detection monitors GitHub Enterprise logs for configuration changes that disable Dependabot functionality. This behavior could indicate an attacker attempting to prevent the automatic detection of vulnerable dependencies, which would allow them to exploit known vulnerabilities that would otherwise be patched. For a SOC, identifying the disabling of security features like Dependabot is critical as it may be a precursor to supply chain attacks where attackers exploit vulnerable dependencies. The impact could be severe if vulnerabilities remain unpatched, potentially leading to code execution, data theft, or other compromises through the software supply chain.
Data_source:

• -GitHub Organizations Audit Logs

search:`github_organizations` vendor_action=repository_vulnerability_alerts.disable
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by actor, actor_id, actor_ip, actor_is_bot, actor_location.country_code, business, business_id, org, org_id, repo, repo_id, user, user_agent, user_id, vendor_action
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `github_organizations_disable_dependabot_filter`

how_to_implement:You must ingest GitHub Organizations logs using Splunk Add-on for Github using a Personal Access Token https://docs.splunk.com/Documentation/AddOns/released/GitHub/Configureinputs .
known_false_positives:unknown
References:
  -https://docs.splunk.com/Documentation/AddOns/released/GitHub/Configureinputs
  -https://www.googlecloudcommunity.com/gc/Community-Blog/Monitoring-for-Suspicious-GitHub-Activity-with-Google-Security/ba-p/763610
drilldown_searches:
 name:'View the detection results for - "$user$"'
 search:'%original_detection_search% | search user = "$user$"'
 earliest_offset:'$info_min_time$'
 latest_offset:'$info_max_time$'
 name:'View risk events for the last 7 days for - "$user$"'
 search:'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
 earliest_offset:'$info_min_time$'
 latest_offset:'$info_max_time$'
tags:
  analytic_story:
    - 'GitHub Malicious Activity'
  asset_type:GitHub
  mitre_attack_id:
    - 'T1562.001'
    - 'T1195'
  product:
    - 'Splunk Enterprise'
    - 'Splunk Enterprise Security'
    - 'Splunk Cloud'
  security_domain:network

tests:
 name:'True Positive Test'
 attack_data:
  data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/disable_dependabot/github.json
  source: github
  sourcetype: github:cloud:audit
manual_test:None