diff --git a/rules/cloud/github/github_delete_action_invoked.yml b/rules/cloud/github/github_delete_action_invoked.yml index 2acb621a5..307ac4b29 100644 --- a/rules/cloud/github/github_delete_action_invoked.yml +++ b/rules/cloud/github/github_delete_action_invoked.yml @@ -11,9 +11,10 @@ tags: - attack.t1213.003 logsource: product: github - service: audit_logs + service: audit detection: selection: + operation: 'remove' action: - 'codespaces.delete' - 'environment.delete' diff --git a/rules/cloud/github/github_new_secret_created.yml b/rules/cloud/github/github_new_secret_created.yml index 1e260187e..5530b9c49 100644 --- a/rules/cloud/github/github_new_secret_created.yml +++ b/rules/cloud/github/github_new_secret_created.yml @@ -11,9 +11,10 @@ tags: - attack.t1078.004 logsource: product: github - service: audit_logs + service: audit detection: selection: + operation: 'create' action: - 'org.create_actions_secret' - 'environment.create_actions_secret' diff --git a/rules/cloud/github/github_outside_collaborator_detected.yml b/rules/cloud/github/github_outside_collaborator_detected.yml index 8bb5fc854..5354e770d 100644 --- a/rules/cloud/github/github_outside_collaborator_detected.yml +++ b/rules/cloud/github/github_outside_collaborator_detected.yml @@ -13,9 +13,10 @@ tags: - attack.t1098.003 logsource: product: github - service: audit_logs + service: audit detection: selection: + operation: 'authentication' action: - 'project.update_user_permission' - 'org.remove_outside_collaborator' @@ -28,4 +29,4 @@ fields: falsepositives: - Validate the actor if permitted to access the repo. - Validate the Multifactor Authentication changes. -level: medium \ No newline at end of file +level: medium diff --git a/tests/logsource.json b/tests/logsource.json index 3a5c98268..7e05d1e34 100644 --- a/tests/logsource.json +++ b/tests/logsource.json @@ -269,7 +269,7 @@ "empty": [], "category":{}, "service":{ - "audit_logs":[] + "audit":[] } }, "google_workspace":{