Detection: GitHub Enterprise Disable Audit Log Event Stream

Updated Date: 2025-01-16 ID: 7bc111cc-7f1b-4be7-99fa-50cf8d2e7564 Author: Patrick Bareiss, Splunk Type: Anomaly Product: Splunk Enterprise Security

Description

The following analytic detects when a user disables audit log event streaming in GitHub Enterprise. The detection monitors GitHub Enterprise audit logs for configuration changes that disable the audit log streaming functionality, which is used to send audit events to security monitoring platforms. This behavior could indicate an attacker attempting to prevent their malicious activities from being logged and detected by disabling the audit trail. For a SOC, identifying the disabling of audit logging is critical as it may be a precursor to other attacks where adversaries want to operate undetected. The impact could be severe as organizations lose visibility into user actions, configuration changes, and security events within their GitHub Enterprise environment, potentially allowing attackers to perform malicious activities without detection. This creates a significant blind spot in security monitoring and incident response capabilities.

Search

1`github_enterprise` action=audit_log_streaming.destroy 
2| fillnull 
3| stats count min(_time) as firstTime max(_time) as lastTime by actor, actor_id, actor_ip, actor_is_bot, actor_location.country_code, business, business_id, user_agent, action 
4| eval user=actor 
5| `security_content_ctime(firstTime)` 
6| `security_content_ctime(lastTime)` 
7| `github_enterprise_disable_audit_log_event_stream_filter`

Data Source

Name	Platform	Sourcetype	Source
GitHub Enterprise Audit Logs	N/A	`'httpevent'`	`'http:github'`

Macros Used

Name	Value
github_enterprise	`source=http:github sourcetype=httpevent`
github_enterprise_disable_audit_log_event_stream_filter	`search *`

github_enterprise_disable_audit_log_event_stream_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Annotations

- MITRE ATT&CK

+ Kill Chain Phases

+ NIST

+ CIS

- Threat Actors

ID	Technique	Tactic
T1562.008	Disable or Modify Cloud Logs	Defense Evasion
T1195	Supply Chain Compromise	Initial Access

Delivery

Exploitation

DE.AE

CIS 13

Ember Bear

Sandworm Team

Default Configuration

This detection is configured by default in Splunk Enterprise Security to run with the following settings:

Setting	Value
Disabled	true
Cron Schedule	`0 * * * *`
Earliest Time	`-70m@m`
Latest Time	`-10m@m`
Schedule Window	`auto`
Creates Risk Event	True

This configuration file applies to all detections of type anomaly. These detections will use Risk Based Alerting.

Implementation

You must ingest GitHub Enterprise logs using Audit log streaming as described in this documentation https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-streaming-to-splunk using a Splunk HTTP Event Collector.

Known False Positives

unknown

Associated Analytic Story

GitHub Malicious Activity

Risk Based Analytics (RBA)

Risk Message:

Audit log event streaming is disabled by $user$

Risk Object	Risk Object Type	Risk Score	Threat Objects
user	user	25	user_agent

References

Detection Testing

Test Type	Status	Dataset	Source	Sourcetype
Validation	✅ Passing	N/A	N/A	N/A
Unit	✅ Passing	Dataset	`http:github`	`httpevent`
Integration	✅ Passing	Dataset	`http:github`	`httpevent`

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

Source: GitHub | Version: 1