Small update

- Change service to audit
- Add operation

rules/cloud/github/github_delete_action_invoked.yml

@@ -11,9 +11,10 @@ tags:
     - attack.t1213.003
 logsource:
     product: github
-    service: audit_logs
+    service: audit
 detection:
     selection:
+        operation: 'remove'
         action:
             - 'codespaces.delete'
             - 'environment.delete'

rules/cloud/github/github_new_secret_created.yml

@@ -11,9 +11,10 @@ tags:
     - attack.t1078.004
 logsource:
     product: github
-    service: audit_logs
+    service: audit
 detection:
     selection:
+        operation: 'create'
         action:
             - 'org.create_actions_secret'
             - 'environment.create_actions_secret'

rules/cloud/github/github_outside_collaborator_detected.yml

@@ -13,9 +13,10 @@ tags:
     - attack.t1098.003
 logsource:
     product: github
-    service: audit_logs
+    service: audit
 detection:
     selection:
+        operation: 'authentication'
         action:
             - 'project.update_user_permission'
             - 'org.remove_outside_collaborator'
@@ -28,4 +29,4 @@ fields:
 falsepositives:
     - Validate the actor if permitted to access the repo.
     - Validate the Multifactor Authentication changes.
-level: medium
+level: medium