Skip to main content
 
Splunk Lantern

Log4j exposure in Github projects

 

If you are a software developer and your source code is in a GitHub Organization or Enterprise, you can use the security features of GitHub to alert on vulnerable dependencies like Log4j. By using the GitHub Audit Log Monitoring Add-On for Splunk and the GitHub App for Splunk you can see vulnerabilities as soon as GitHub detects them in Splunk.

This search shows an example of an alert indicating a project (in this case a previous version of Apache Struts) that includes a dependency to a vulnerable version of log4j-api.

Required data

Procedure

Here’s a video detailing the configuration of getting GitHub audit log data into Splunk. To get the most comprehensive security data from GitHub, you need to collect WebHook data using the Splunk HTTP Event Collector. Configuration instructions for WebHook data can be found here

Run the following search. You can optimize it by specifying an index and adjusting the time range.

sourcetype=github_json "alert.affected_package_name"="org.apache.logging.log4j:log4j-api"

Search explanation

The table provides an explanation of what each part of this search achieves. 

Splunk Search Explanation
sourcetype=github_json "alert.affected_package_name"="org.apache.logging.log4j:log4j-api" Search the github_json sourcetype for projects that include dependencies to a vulnerable version of log4j-api.

Next steps

Here are example results from this search:

You can use this data to drive alerts, identify projects that need patching, or add context to other data in a Splunk deployment.

Finally, you might be interested in other processes associated with the Detecting Log4j remote code execution use case.