← Back to Explore
splunk_escuAnomaly
GitHub Enterprise Disable Dependabot
The following analytic detects when a user disables Dependabot security features within a GitHub repository. Dependabot helps automatically identify and fix security vulnerabilities in dependencies. The detection monitors GitHub Enterprise logs for configuration changes that disable Dependabot functionality. This behavior could indicate an attacker attempting to prevent the automatic detection of vulnerable dependencies, which would allow them to exploit known vulnerabilities that would otherwise be patched. For a SOC, identifying the disabling of security features like Dependabot is critical as it may be a precursor to supply chain attacks where attackers exploit vulnerable dependencies. The impact could be severe if vulnerabilities remain unpatched, potentially leading to code execution, data theft, or other compromises through the software supply chain.
Detection Query
`github_enterprise` action=repository_vulnerability_alerts.disable
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime
BY actor, actor_id, actor_ip,
actor_is_bot, actor_location.country_code, business,
business_id, org, org_id,
repo, repo_id, user,
user_agent, user_id, action
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `github_enterprise_disable_dependabot_filter`Author
Patrick Bareiss, Splunk
Created
2026-03-10
Data Sources
GitHub Enterprise Audit Logs
References
- https://www.googlecloudcommunity.com/gc/Community-Blog/Monitoring-for-Suspicious-GitHub-Activity-with-Google-Security/ba-p/763610
- https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-streaming-to-splunk
Tags
GitHub Malicious Activity
Raw Content
name: GitHub Enterprise Disable Dependabot
id: 787dd1c1-eb3a-4a31-8e8c-2ad24b214bc8
version: 5
date: '2026-03-10'
author: Patrick Bareiss, Splunk
status: production
type: Anomaly
description: The following analytic detects when a user disables Dependabot security features within a GitHub repository. Dependabot helps automatically identify and fix security vulnerabilities in dependencies. The detection monitors GitHub Enterprise logs for configuration changes that disable Dependabot functionality. This behavior could indicate an attacker attempting to prevent the automatic detection of vulnerable dependencies, which would allow them to exploit known vulnerabilities that would otherwise be patched. For a SOC, identifying the disabling of security features like Dependabot is critical as it may be a precursor to supply chain attacks where attackers exploit vulnerable dependencies. The impact could be severe if vulnerabilities remain unpatched, potentially leading to code execution, data theft, or other compromises through the software supply chain.
data_source:
- GitHub Enterprise Audit Logs
search: |-
`github_enterprise` action=repository_vulnerability_alerts.disable
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime
BY actor, actor_id, actor_ip,
actor_is_bot, actor_location.country_code, business,
business_id, org, org_id,
repo, repo_id, user,
user_agent, user_id, action
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `github_enterprise_disable_dependabot_filter`
how_to_implement: You must ingest GitHub Enterprise logs using Audit log streaming as described in this documentation https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-streaming-to-splunk using a Splunk HTTP Event Collector.
known_false_positives: No false positives have been identified at this time.
references:
- https://www.googlecloudcommunity.com/gc/Community-Blog/Monitoring-for-Suspicious-GitHub-Activity-with-Google-Security/ba-p/763610
- https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-streaming-to-splunk
drilldown_searches:
- name: View the detection results for - "$user$"
search: '%original_detection_search% | search user = "$user$"'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
rba:
message: Dependabot security features are disabled in repository $repo$ by $user$
risk_objects:
- field: user
type: user
score: 20
threat_objects:
- field: user_agent
type: http_user_agent
tags:
analytic_story:
- GitHub Malicious Activity
asset_type: GitHub
mitre_attack_id:
- T1562.001
- T1195
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
security_domain: network
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/disable_dependabot/github.json
source: http:github
sourcetype: httpevent