Splunk Search

Where to find some already created Splunk use cases for github webhook logs?

icehack
Observer

Does anyone know where I can find some already created Splunk use cases for github webhook logs?

I am having a really hard time googling for a dump of github based splunk searches because of the keyword github.

I am trying to look for commits in github with no approvals. I have identified the search for all commits and the search for finding approvals for those commits but I am unsure how to stich them together in a single query to produce actionable results.

The commit log and the approval log are separate logs but both have a unique identifier for the commit.

More info:

Here is the query for the approval and the corresponding log. These logs are heavily redacted and I am only including what is relevant. Logs come in through HEC so they are JSON.

 index=github action=submitted review.state=approved pull_request.head.sha!="" 

{
	action: submitted
	pull_request: {
		head: {
			sha: <commit-id>
		}
	}
	review: {
		state: approved
	}
}

Here is the log of the merge, it has no action so I'm using this query:

index=github after!="" 

{
	after: <commit-id>
	before: <previous-commit-id>
	enterprise: {}
	head_commit: {}
	organization: {}
	pusher: {}
	repository: {}
	sender: {}
}

I've been trying to create a table that includes both of these logs with no luck.

index=github after!="" 
[search index=github action=submitted review.state=approved pull_request.head.sha!="" 
|table pull_request.head.sha review.state 
| rename pull_request.head.sha as commit-id]
|table after 
|rename after as commit-id

So I am essentially looking for commit logs with no approval and trying to link the tables together with after/pull_request.head.sha as both of these values are unique commit ID's.

Ideally I would want to alert on each occurrence of an unapproved merge.

Labels (1)
0 Karma
Get Updates on the Splunk Community!

Splunk Classroom Chronicles: Training Tales and Testimonials (Episode 3)

Welcome back to Splunk Classroom Chronicles, our ongoing blog series that pulls back the curtain on Splunk ...

Operationalizing TDIR: Building a More Resilient, Scalable SOC

Optimizing SOC workflows with a unified, risk-based approach to Threat Detection, Investigation, and Response ...

Almost Too Eventful Assurance: Part 1

Modern IT and Network teams still struggle with too many alerts and isolating issues before they are notified. ...