Skip to content

feat(sigma): Jenkins detections (product: jenkins)#22

Merged
Gerrrt merged 2 commits into
mainfrom
claude/dotfiles-round-7-github-b8nut0
Jul 2, 2026
Merged

feat(sigma): Jenkins detections (product: jenkins)#22
Gerrrt merged 2 commits into
mainfrom
claude/dotfiles-round-7-github-b8nut0

Conversation

@Gerrrt

@Gerrrt Gerrrt commented Jul 2, 2026

Copy link
Copy Markdown
Collaborator

Round 13 — Jenkins CI/CD (Defense mirror)

New detections/sigma/jenkins/ platform dir mirroring the htpx Jenkins pairs — the first product: jenkins logsource. The Jenkins Audit Trail plugin log is request-URI/line-based (not structured JSON), so these use Sigma keywords matching.

Rule Match ATT&CK Validate with (htpx pair)
jenkins_script_console /script / /scriptText T1059 jenkins-script-console
jenkins_api_token_created generateNewToken T1098 jenkins-api-token
jenkins_job_backdoor /createItem / /configSubmit T1072 jenkins-job-backdoor

Also wires the new dir into the generator: jenkins added to gen-siem.sh's NONWIN_DIRS, savedsearches.generated.conf regenerated (now 46 rules) so the drift gate stays green.

Gate (run locally, pinned to CI)

  • sigma check --fail-on-issues -c detections/sigma-validation-config.yml detections/sigma/ → 0 issues
  • detections/sigma/convert.sh splunk → compiles
  • detections/siem/gen-siem.sh --check → up to date

README: new jenkins/ section, logsource note (…|terraform|jenkins), rule count 43 → 46.

🤖 Generated with Claude Code


Generated by Claude Code

New detections/sigma/jenkins/ platform dir mirroring the htpx Jenkins CI/CD pairs —
the first product: jenkins logsource. The Jenkins Audit Trail plugin log is
request-URI/line-based (not structured JSON), so these use Sigma `keywords` matching;
all three lint clean and compile to Splunk:

- jenkins_script_console — /script / /scriptText (T1059)
- jenkins_api_token_created — generateNewToken (T1098)
- jenkins_job_backdoor — /createItem / /configSubmit (T1072)

Also wire the dir into the deploy-form generator: add `jenkins` to gen-siem.sh's
NONWIN_DIRS and regenerate savedsearches.generated.conf (now 46 rules) so the drift
gate stays green. README: new jenkins/ section, logsource note, count 43→46.

Co-Authored-By: Claude <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_011spYcGfeP4a3RNQQVDrGtW
Copilot AI review requested due to automatic review settings July 2, 2026 06:35
Address Copilot review: the keyword model matched bare substrings, so
`/configSubmit` also caught the global system-config form and `generateNewToken`
could overmatch. Switch the three jenkins/ rules to a `uri` field:

- jenkins_script_console — uri|contains /scriptText, /script
- jenkins_api_token_created — uri|contains ApiTokenProperty/generateNewToken
- jenkins_job_backdoor — /createItem OR (uri|contains|all /job/ + /configSubmit),
  scoping the reconfigure match to job URIs

Regenerated savedsearches.generated.conf; sigma check + convert + gen-siem --check
all green. README: scoped rows + corrected detection-model note.

Co-Authored-By: Claude <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_011spYcGfeP4a3RNQQVDrGtW

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds initial Jenkins Sigma detection coverage (Audit Trail plugin, product: jenkins, service: audit) and wires it through the SIEM generation pipeline so Splunk saved searches are generated/kept in sync.

Changes:

  • Introduces 3 new Jenkins Sigma rules using keyword/URI matching for unstructured Audit Trail log lines.
  • Adds jenkins to the SIEM generator’s non-Windows platform directory list and regenerates Splunk savedsearches.generated.conf.
  • Updates detections/README.md to document the new Jenkins platform section and updated rule/document counts.

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated 2 comments.

Show a summary per file
File Description
detections/sigma/jenkins/jenkins_script_console.yml New Jenkins rule detecting Script Console access via /script / /scriptText.
detections/sigma/jenkins/jenkins_job_backdoor.yml New Jenkins rule detecting job creation/reconfiguration-related endpoints.
detections/sigma/jenkins/jenkins_api_token_created.yml New Jenkins rule detecting API token creation activity.
detections/siem/splunk/savedsearches.generated.conf Regenerated Splunk saved searches to include the new Jenkins rules.
detections/siem/gen-siem.sh Adds jenkins to NONWIN_DIRS so the generator includes the new platform directory.
detections/README.md Documents the Jenkins logsource and updates rule/document counts.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread detections/sigma/jenkins/jenkins_api_token_created.yml Outdated
Comment thread detections/sigma/jenkins/jenkins_job_backdoor.yml Outdated
@Gerrrt Gerrrt merged commit 80c5d24 into main Jul 2, 2026
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants