Detection: GitHub Workflow File Creation or Modification

Description

The following analytic hunts for any creations or modifications to GitHub Actions workflow YAML files across the organization's Linux or Windows endpoints. This hunting query tracks all workflow file activity under .github/workflows directories to help defenders establish baselines of legitimate CI/CD workflow creation patterns, identify unusual or unauthorized changes, and detect anomalies that may indicate supply chain compromise. GitHub Actions workflows execute with privileged access to secrets and deployment credentials, making them high-value targets for attackers. By monitoring workflow file modifications over time, defenders can identify suspicious patterns such as unexpected workflow creation on developer workstations, modifications outside normal change windows, or activity in repositories that don't typically contain workflows. This data is essential for detecting supply chain attacks like Shai-Hulud that inject malicious workflows across multiple repositories.

Search

 1
 2| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime
 3
 4from datamodel=Endpoint.Filesystem where
 5
 6Filesystem.file_path IN (
 7  "*/.github/workflows/*.yaml",
 8  "*/.github/workflows/*.yml",
 9  "*\\.github\\workflows\\*.yaml",
10  "*\\.github\\workflows\\*.yml"
11)
12
13by Filesystem.action Filesystem.dest Filesystem.file_access_time Filesystem.file_create_time
14   Filesystem.file_hash Filesystem.file_modify_time Filesystem.file_name Filesystem.file_path Filesystem.file_acl Filesystem.file_size Filesystem.process_guid Filesystem.process_id Filesystem.user
15   Filesystem.vendor_product
16
17
18| `drop_dm_object_name(Filesystem)`
19
20| `security_content_ctime(firstTime)`
21
22| `security_content_ctime(lastTime)`
23
24| `github_workflow_file_creation_or_modification_filter`

Data Source

Name	Platform	Sourcetype	Source
Sysmon EventID 11	Windows	'XmlWinEventLog'	'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational'
Sysmon for Linux EventID 11	Linux	'sysmon:linux'	'Syslog:Linux-Sysmon/Operational'

Macros Used

Annotations

Default Configuration

This detection is configured by default in Splunk Enterprise Security to run with the following settings:

Implementation

The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain filesystem events, specifically file creation events. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the Filesystem node of the Endpoint data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.

Known False Positives

Legitimate engineering activity regularly creates workflow YAMLs. Suppress by repository path allowlisting, CI hosts, change windows, or approval timeframes.

Associated Analytic Story

• NPM Supply Chain Compromise

References

• https://www.cisa.gov/news-events/alerts/2025/09/23/widespread-supply-chain-compromise-impacting-npm-ecosystem

• https://securelist.com/shai-hulud-worm-infects-500-npm-packages-in-a-supply-chain-attack/117547/

• https://github.com/SigmaHQ/sigma/pull/5658/files

• https://docs.github.com/en/actions/reference/workflows-and-actions/workflow-syntax

Detection Testing

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

Source: GitHub | Version: 1