| ID | Technique | Tactic |
|---|---|---|
| T1204.003 | Malicious Image | Execution |
| T1204 | User Execution | Execution |
Detection: Risk Rule for Dev Sec Ops by Repository
Description
The following analytic identifies high-risk activities within repositories by correlating repository data with risk scores. It leverages risk events from the Dev Sec Ops analytic stories, summing risk scores and capturing source and user information. The detection focuses on high-risk scores above 100 and sources with more than three occurrences. This activity is significant as it highlights repositories frequently targeted by threats, providing insights into potential vulnerabilities. If confirmed malicious, attackers could exploit these repositories, leading to data breaches or infrastructure compromise.
Search
1
2| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as sum_risk_score, values(All_Risk.annotations.mitre_attack.mitre_tactic) as annotations.mitre_attack.mitre_tactic, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count values(source) as source, dc(source) as source_count from datamodel=Risk.All_Risk where All_Risk.analyticstories="Dev Sec Ops" All_Risk.risk_object_type = "other" by All_Risk.risk_object All_Risk.risk_object_type All_Risk.annotations.mitre_attack.mitre_tactic
3| `drop_dm_object_name(All_Risk)`
4| `security_content_ctime(firstTime)`
5| `security_content_ctime(lastTime)`
6| where source_count > 3 and sum_risk_score > 100
7| `risk_rule_for_dev_sec_ops_by_repository_filter`
Data Source
| Name | Platform | Sourcetype | Source | Supported App |
|---|---|---|---|---|
| N/A | N/A | N/A | N/A | N/A |
Macros Used
| Name | Value |
|---|---|
| security_content_ctime | convert timeformat="%Y-%m-%dT%H:%M:%S" ctime($field$) |
| risk_rule_for_dev_sec_ops_by_repository_filter | search * |
risk_rule_for_dev_sec_ops_by_repository_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Annotations
MITRE ATT&CK
Kill Chain Phases
NIST
CIS
Threat Actors
KillChainPhase.INSTALLATION
NistCategory.DE_AE
Cis18Value.CIS_10
TeamTNT
LAPSUS$
Scattered Spider
Default Configuration
This detection is configured by default in Splunk Enterprise Security to run with the following settings:
| Setting | Value |
|---|---|
| Disabled | true |
| Cron Schedule | 0 * * * * |
| Earliest Time | -70m@m |
| Latest Time | -10m@m |
| Schedule Window | auto |
| Creates Notable | Yes |
| Rule Title | %name% |
| Rule Description | %description% |
| Notable Event Fields | user, dest |
| Creates Risk Event | False |
This configuration file applies to all detections of type Correlation. These correlations will generate Notable Events.
Implementation
Ensure that all relevant detections in the Dev Sec Ops analytic stories are enabled and are configured to create risk events in Enterprise Security.
Known False Positives
Unknown
Associated Analytic Story
Risk Based Analytics (RBA)
| Risk Message | Risk Score | Impact | Confidence |
|---|---|---|---|
| Correlation triggered for repository $risk_object$ | 70 | 70 | 100 |
The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.
Detection Testing
| Test Type | Status | Dataset | Source | Sourcetype |
|---|---|---|---|---|
| Validation | ✅ Passing | N/A | N/A | N/A |
| Unit | ✅ Passing | Dataset | aws_ecr_risk_dataset.log |
stash |
| Integration | ✅ Passing | Dataset | aws_ecr_risk_dataset.log |
stash |
Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
Source: GitHub | Version: 2