diff --git a/rules/cloud/github/dependabot_alerts_disabled.yml b/rules/cloud/github/dependabot_alerts_disabled.yml new file mode 100644 index 000000000..cceb0d98d --- /dev/null +++ b/rules/cloud/github/dependabot_alerts_disabled.yml @@ -0,0 +1,39 @@ +title: Dependabot Alerts Disabled +id: 34e1c7d4-0cd5-419d-9f1b-1dad3f61018d +status: experimental +description: | + Dependabot performs a scan to detect insecure dependencies, and sends Dependabot alerts. + This rule detects when an organization owner disables Dependabot alerts or Dependabot security updates. +author: Muhammad Faisal +date: 2023/01/27 +references: + - https://docs.github.com/en/code-security/dependabot/dependabot-alerts/about-dependabot-alerts + - https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization +tags: + - attack.t1195.001 + - attack.m1016 + - attack.t1089 +logsource: + product: github + service: audit +detection: + selection: + action: + - 'dependabot_alerts.disable' + - 'dependabot_alerts_new_repos.disable' + - 'dependabot_security_updates.disable' + - 'dependabot_security_updates_new_repos.disable' + condition: selection +fields: + - 'action' + - 'actor' + - 'org' + - 'actor_location.country_code' + - 'transport_protocol_name' + - 'repository' + - 'repo' + - 'repository_public' + - '@timestamp' +falsepositives: + - Approved changes by the Organization owner. Please validate the 'actor' if authorized to make the changes. +level: high \ No newline at end of file diff --git a/rules/cloud/github/github_self_hosted_runner_changes_detected.yml b/rules/cloud/github/github_self_hosted_runner_changes_detected.yml new file mode 100644 index 000000000..127dd17b1 --- /dev/null +++ b/rules/cloud/github/github_self_hosted_runner_changes_detected.yml @@ -0,0 +1,48 @@ +title: Github Self Hosted Runner Changes Detected +id: f8ed0e8f-7438-4b79-85eb-f358ef2fbebd +status: experimental +description: | + A self-hosted runner is a system that you deploy and manage to execute jobs from GitHub Actions on GitHub.com. + This rule detects changes to self-hosted runners configurations in the environment. The self-hosted runner configuration changes once detected, + it should be validated from GitHub UI becasue the log entry may not provide full context. +author: Muhammad Faisal +date: 2023/01/27 +references: + - https://docs.github.com/en/actions/hosting-your-own-runners/about-self-hosted-runners#about-self-hosted-runners + - https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#search-based-on-operation +tags: + - attack.t1526 + - attack.impact + - attack.t1213.003 + - attack.t1078.004 +logsource: + product: github + service: audit +detection: + selection: + action: + - 'org.remove_self_hosted_runner' + - 'org.runner_group_created' + - 'org.runner_group_removed' + - 'org.runner_group_updated' + - 'org.runner_group_runners_added' + - 'org.runner_group_runner_removed' + - 'org.runner_group_runners_updated' + - 'repo.register_self_hosted_runner' + - 'repo.remove_self_hosted_runner' + condition: selection +fields: + - 'action' + - 'actor' + - 'org' + - 'actor_location.country_code' + - 'transport_protocol_name' + - 'repository' + - 'repo' + - 'repository_public' + - '@timestamp' +falsepositives: + - Allowed self-hosted runners changes in the envrionment. + - A self-hosted runner is automatically removed from GitHub if it has not connected to GitHub Actions for more than 14 days. + - An ephemeral self-hosted runner is automatically removed from GitHub if it has not connected to GitHub Actions for more than 1 day. +level: low \ No newline at end of file