admin can do changes directly to master branch

t1199
github
splunk

Techniques

T1199

Sample rules

Github Commit Changes In Master

source: splunk
technicques:
- T1199

Description

This search is to detect a pushed or commit to master or main branch. This is to avoid unwanted modification to master without a review to the changes. Ideally in terms of devsecops the changes made in a branch and do a PR for review. of course in some cases admin of the project may did a changes directly to master branch

Detection logic

`github` branches{}.name = main OR branches{}.name = master 
|  stats count min(_time) as firstTime max(_time) as lastTime by commit.commit.author.email commit.author.login commit.commit.message repository.pushed_at commit.commit.committer.date repository.full_name 
| rename commit.author.login as user, repository.full_name as repository 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `github_commit_changes_in_master_filter`