Merge PR #4749 from @faisalusuf - Add new rules for GitHub secret scanning and push protection features

new: Github Push Protection Bypass Detected
new: Github Push Protection Disabled
new: Github Secret Scanning Feature Disabled

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>

rules/cloud/github/github_push_protection_bypass_detected.yml

@@ -0,0 +1,23 @@
+title: Github Push Protection Bypass Detected
+id: 02cf536a-cf21-4876-8842-4159c8aee3cc
+status: experimental
+description: Detects when a user bypasses the push protection on a secret detected by secret scanning.
+references:
+    - https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/push-protection-for-repositories-and-organizations
+    - https://thehackernews.com/2024/03/github-rolls-out-default-secret.html
+author: Muhammad Faisal (@faisalusuf)
+date: 2024/03/07
+tags:
+    - attack.defense_evasion
+    - attack.t1562.001
+logsource:
+    product: github
+    service: audit
+    definition: 'Requirements: The audit log streaming feature must be enabled to be able to receive such logs. You can enable following the documentation here: https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-audit-log-streaming'
+detection:
+    selection:
+        action|contains: 'secret_scanning_push_protection.bypass'
+    condition: selection
+falsepositives:
+    - Allowed administrative activities.
+level: low

rules/cloud/github/github_push_protection_disabled.yml

@@ -0,0 +1,30 @@
+title: Github Push Protection Disabled
+id: ccd55945-badd-4bae-936b-823a735d37dd
+status: experimental
+description: Detects if the push protection feature is disabled for an organization, enterprise, repositories or custom pattern rules.
+references:
+    - https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/push-protection-for-repositories-and-organizations
+    - https://thehackernews.com/2024/03/github-rolls-out-default-secret.html
+author: Muhammad Faisal (@faisalusuf)
+date: 2024/03/07
+tags:
+    - attack.defense_evasion
+    - attack.t1562.001
+logsource:
+    product: github
+    service: audit
+    definition: 'Requirements: The audit log streaming feature must be enabled to be able to receive such logs. You can enable following the documentation here: https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-audit-log-streaming'
+detection:
+    selection:
+        action:
+            - 'business_secret_scanning_custom_pattern_push_protection.disabled'
+            - 'business_secret_scanning_push_protection.disable'
+            - 'business_secret_scanning_push_protection.disabled_for_new_repos'
+            - 'org.secret_scanning_custom_pattern_push_protection_disabled'
+            - 'org.secret_scanning_push_protection_disable'
+            - 'org.secret_scanning_push_protection_new_repos_disable'
+            - 'repository_secret_scanning_custom_pattern_push_protection.disabled'
+    condition: selection
+falsepositives:
+    - Allowed administrative activities.
+level: high

rules/cloud/github/github_secret_scanning_feature_disabled.yml

@@ -0,0 +1,26 @@
+title: Github Secret Scanning Feature Disabled
+id: 3883d9a0-fd0f-440f-afbb-445a2a799bb8
+status: experimental
+description: Detects if the secret scanning feature is disabled for an enterprise or repository.
+references:
+    - https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/about-secret-scanning
+author: Muhammad Faisal (@faisalusuf)
+date: 2024/03/07
+tags:
+    - attack.defense_evasion
+    - attack.t1562.001
+logsource:
+    product: github
+    service: audit
+    definition: 'Requirements: The audit log streaming feature must be enabled to be able to receive such logs. You can enable following the documentation here: https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-audit-log-streaming'
+detection:
+    selection:
+        action:
+            - 'business_secret_scanning.disable'
+            - 'business_secret_scanning.disabled_for_new_repos'
+            - 'repository_secret_scanning.disable'
+            - 'secret_scanning.disable'
+    condition: selection
+falsepositives:
+    - Allowed administrative activities.
+level: high