Detection rules › Splunk
GitHub Organizations Disable Classic Branch Protection Rule
The following analytic detects when classic branch protection rules are disabled in GitHub Organizations. The detection monitors GitHub Organizations audit logs for branch protection removal events by tracking actor details, repository information, and associated metadata. For a SOC, identifying disabled branch protection is critical as it could indicate attempts to bypass code review requirements and security controls. Branch protection rules are essential security controls that enforce code review, prevent force pushes, and maintain code quality. Disabling these protections could allow malicious actors to directly push unauthorized code changes or backdoors to protected branches. The impact of disabled branch protection includes potential code tampering, bypass of security reviews, introduction of vulnerabilities or malicious code, and compromise of software supply chain integrity. This activity could be part of a larger attack chain where an adversary first disables security controls before attempting to inject malicious code.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Initial Access | T1195 Supply Chain Compromise |
| Defense Impairment | T1685 Disable or Modify Tools |
Rule body splunk
name: GitHub Organizations Disable Classic Branch Protection Rule
id: 33cffee0-41ee-402e-a238-d37825f2d788
version: 9
creation_date: '2025-01-15'
modification_date: '2026-05-13'
author: Patrick Bareiss, Splunk
status: production
type: Anomaly
description: The following analytic detects when classic branch protection rules are disabled in GitHub Organizations. The detection monitors GitHub Organizations audit logs for branch protection removal events by tracking actor details, repository information, and associated metadata. For a SOC, identifying disabled branch protection is critical as it could indicate attempts to bypass code review requirements and security controls. Branch protection rules are essential security controls that enforce code review, prevent force pushes, and maintain code quality. Disabling these protections could allow malicious actors to directly push unauthorized code changes or backdoors to protected branches. The impact of disabled branch protection includes potential code tampering, bypass of security reviews, introduction of vulnerabilities or malicious code, and compromise of software supply chain integrity. This activity could be part of a larger attack chain where an adversary first disables security controls before attempting to inject malicious code.
data_source:
- GitHub Organizations Audit Logs
search: |-
`github_organizations` vendor_action=protected_branch.destroy
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime
BY actor, actor_id, actor_ip,
actor_is_bot, actor_location.country_code, business,
business_id, org, org_id,
repo, repo_id, user_agent,
vendor_action, name
| eval user=actor
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `github_organizations_disable_classic_branch_protection_rule_filter`
how_to_implement: You must ingest GitHub Organizations logs using Splunk Add-on for Github using a Personal Access Token https://splunk.github.io/splunk-add-on-for-github-audit-log-monitoring/Install/ .
known_false_positives: No false positives have been identified at this time.
references:
- https://splunk.github.io/splunk-add-on-for-github-audit-log-monitoring/Install/
- https://www.googlecloudcommunity.com/gc/Community-Blog/Monitoring-for-Suspicious-GitHub-Activity-with-Google-Security/ba-p/763610
drilldown_searches:
- name: View the detection results for - "$user$"
search: '%original_detection_search% | search user = "$user$"'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
earliest_offset: 7d
latest_offset: "0"
intermediate_findings:
entities:
- field: user
type: user
score: 20
message: $user$ disabled a classic branch protection rule in repo $repo$
threat_objects:
- field: user_agent
type: http_user_agent
analytic_story:
- GitHub Malicious Activity
asset_type: GitHub
mitre_attack_id:
- T1685
- T1195
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
category: cloud
security_domain: network
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/github_disable_classic_branch_protection/github.json
source: github
sourcetype: github:cloud:audit
test_type: unit
Stages and Predicates
Stage 1: search
`github_organizations` vendor_action=protected_branch.destroy
Stage 2: fillnull
| fillnull
Stage 3: stats
| stats count min(_time) as firstTime max(_time) as lastTime
BY actor, actor_id, actor_ip,
actor_is_bot, actor_location.country_code, business,
business_id, org, org_id,
repo, repo_id, user_agent,
vendor_action, name
Stage 4: eval
| eval user=actor
Stage 5: search
| `security_content_ctime(firstTime)`
Stage 6: search
| `security_content_ctime(lastTime)`
Stage 7: search
| `github_organizations_disable_classic_branch_protection_rule_filter`
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
sourcetype | eq |
|
vendor_action | eq |
|