Name:Risk Rule for Dev Sec Ops by Repository id:161bc0ca-4651-4c13-9c27-27770660cf67 version:4 date:2024-10-22 author:Bhavin Patel status:production type:Correlation Description:The following analytic identifies high-risk activities within repositories by correlating repository data with risk scores. It leverages risk events from the Dev Sec Ops analytic stories, summing risk scores and capturing source and user information. The detection focuses on high-risk scores above 100 and sources with more than three occurrences. This activity is significant as it highlights repositories frequently targeted by threats, providing insights into potential vulnerabilities. If confirmed malicious, attackers could exploit these repositories, leading to data breaches or infrastructure compromise. Data_source:
search:| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as sum_risk_score, values(All_Risk.annotations.mitre_attack.mitre_tactic) as annotations.mitre_attack.mitre_tactic, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count values(source) as source, dc(source) as source_count from datamodel=Risk.All_Risk where All_Risk.analyticstories="Dev Sec Ops" All_Risk.risk_object_type = "other" by All_Risk.risk_object All_Risk.risk_object_type All_Risk.annotations.mitre_attack.mitre_tactic | `drop_dm_object_name(All_Risk)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where source_count > 3 and sum_risk_score > 100 | `risk_rule_for_dev_sec_ops_by_repository_filter`
how_to_implement:Ensure that all relevant detections in the Dev Sec Ops analytic stories are enabled and are configured to create risk events in Enterprise Security. known_false_positives:Unknown References: drilldown_searches: name:'View the detection results for - "$risk_object$"' search:'%original_detection_search% | search risk_object = "$risk_object$"' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' name:'View risk events for the last 7 days for - "$risk_object$"' search:'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$risk_object$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' tags: analytic_story: - 'Dev Sec Ops' asset_type:Amazon Elastic Container Registry confidence:100 impact:70 message:Correlation triggered for repository $risk_object$ mitre_attack_id: - 'T1204.003' - 'T1204' observable: name:'risk_object' type:'Other' - role: - 'Victim' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' required_fields: - '_time' risk_score:70 security_domain:threat
