LoFP / admin can do changes directly to master branch

Techniques

• T1199

Sample rules

Github Commit Changes In Master

• source: splunk
• technicques:
  • T1199

Description

The following analytic detects direct commits or pushes to the master or main branch in a GitHub repository. It leverages GitHub logs to identify events where changes are made directly to these critical branches. This activity is significant because direct modifications to the master or main branch bypass the standard review process, potentially introducing unreviewed and harmful changes. If confirmed malicious, this could lead to unauthorized code execution, security vulnerabilities, or compromised project integrity.

Detection logic

`github` branches{}.name = main OR branches{}.name = master 
|  stats count min(_time) as firstTime max(_time) as lastTime by commit.commit.author.email commit.author.login commit.commit.message repository.pushed_at commit.commit.committer.date repository.full_name 
| rename commit.author.login as user, repository.full_name as repository 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `github_commit_changes_in_master_filter`