Techniques
Sample rules
Github Commit In Develop
- source: splunk
- technicques:
- T1199
Description
The following analytic detects commits pushed directly to the ‘develop’ or ‘main’ branches in a GitHub repository. It leverages GitHub logs, focusing on commit metadata such as author details, commit messages, and timestamps. This activity is significant as direct commits to these branches can bypass the review process, potentially introducing unvetted changes. If confirmed malicious, this could lead to unauthorized code modifications, introducing vulnerabilities or backdoors into the codebase, and compromising the integrity of the development lifecycle.
Detection logic
`github` branches{}.name = main OR branches{}.name = develop
| stats count min(_time) as firstTime max(_time) as lastTime by commit.author.html_url commit.commit.author.email commit.author.login commit.commit.message repository.pushed_at commit.commit.committer.date
| eval phase="code"
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `github_commit_in_develop_filter`