EXPLORE
Sign In
← Back to Explore
splunk_escuCorrelation

Risk Rule for Dev Sec Ops by Repository

The following analytic identifies high-risk activities within repositories by correlating repository data with risk scores. It leverages findings and intermediate findings created by detections from the Dev Sec Ops analytic stories, summing risk scores and capturing source and user information. The detection focuses on high-risk scores above 100 and sources with more than three occurrences. This activity is significant as it highlights repositories frequently targeted by threats, providing insights into potential vulnerabilities. If confirmed malicious, attackers could exploit these repositories, leading to data breaches or infrastructure compromise.

MITRE ATT&CK

T1204.003

Detection Query

| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as sum_risk_score, values(All_Risk.annotations.mitre_attack.mitre_tactic) as annotations.mitre_attack.mitre_tactic, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count values(source) as source, dc(source) as source_count FROM datamodel=Risk.All_Risk
  WHERE All_Risk.analyticstories="Dev Sec Ops" All_Risk.risk_object_type = "other"
  BY All_Risk.risk_object All_Risk.risk_object_type All_Risk.annotations.mitre_attack.mitre_tactic
| `drop_dm_object_name(All_Risk)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| where source_count > 3 and sum_risk_score > 100
| `risk_rule_for_dev_sec_ops_by_repository_filter`

Author

Bhavin Patel

Created

2026-02-25

Tags

Dev Sec Ops
Raw Content
name: Risk Rule for Dev Sec Ops by Repository
id: 161bc0ca-4651-4c13-9c27-27770660cf67
version: 10
date: '2026-02-25'
author: Bhavin Patel
status: production
type: Correlation
description: The following analytic identifies high-risk activities within repositories by correlating repository data with risk scores. It leverages findings and intermediate findings created by detections from the Dev Sec Ops analytic stories, summing risk scores and capturing source and user information. The detection focuses on high-risk scores above 100 and sources with more than three occurrences. This activity is significant as it highlights repositories frequently targeted by threats, providing insights into potential vulnerabilities. If confirmed malicious, attackers could exploit these repositories, leading to data breaches or infrastructure compromise.
data_source: []
search: |-
    | tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as sum_risk_score, values(All_Risk.annotations.mitre_attack.mitre_tactic) as annotations.mitre_attack.mitre_tactic, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count values(source) as source, dc(source) as source_count FROM datamodel=Risk.All_Risk
      WHERE All_Risk.analyticstories="Dev Sec Ops" All_Risk.risk_object_type = "other"
      BY All_Risk.risk_object All_Risk.risk_object_type All_Risk.annotations.mitre_attack.mitre_tactic
    | `drop_dm_object_name(All_Risk)`
    | `security_content_ctime(firstTime)`
    | `security_content_ctime(lastTime)`
    | where source_count > 3 and sum_risk_score > 100
    | `risk_rule_for_dev_sec_ops_by_repository_filter`
how_to_implement: Ensure that all relevant detections in the Dev Sec Ops analytic stories are enabled and are configured to create findings or intermediate findings in Enterprise Security.
known_false_positives: No false positives have been identified at this time.
references: []
drilldown_searches:
    - name: View the detection results for - "$risk_object$"
      search: '%original_detection_search% | search  risk_object = "$risk_object$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$risk_object$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$risk_object$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
tags:
    analytic_story:
        - Dev Sec Ops
    asset_type: Amazon Elastic Container Registry
    mitre_attack_id:
        - T1204.003
    product:
        - Splunk Enterprise
        - Splunk Enterprise Security
        - Splunk Cloud
    security_domain: threat
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1204.003/risk_dataset/aws_ecr_risk_dataset.log
          source: aws_ecr_risk_dataset.log
          sourcetype: stash