From 44a7b78950d22979b1dc4bd89dc1937abfe18c40 Mon Sep 17 00:00:00 2001
From: z00t <faisalusuf@yahoo.com>
Date: Fri, 20 Jan 2023 23:09:56 +0500
Subject: [PATCH] New Rule is created.

---
 .../github/github_new_secret_created.yml      | 30 +++++++++++++++++++
 1 file changed, 30 insertions(+)
 create mode 100644 rules/cloud/github/github_new_secret_created.yml

diff --git a/rules/cloud/github/github_new_secret_created.yml b/rules/cloud/github/github_new_secret_created.yml
new file mode 100644
index 000000000..1fc9dfdc5
--- /dev/null
+++ b/rules/cloud/github/github_new_secret_created.yml
@@ -0,0 +1,30 @@
+title: Github New Secret Created
+id: f9405037-bc97-4eb7-baba-167dad399b83
+status: experimental
+description: Detects when a user creates action secret for the organization, environment, codespaces or repository.
+author: Muhammad Faisal
+date: 2023/01/20
+references:
+    - https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#audit-log-actions
+tags:
+    - attack.t1078
+    - attack.t1078.004
+logsource:
+    product: github
+    service: audit_logs
+detection:
+    selection:
+        action:
+            - org.create_actions_secret
+            - environment.create_actions_secret
+            - codespaces.create_an_org_secret
+            - repo.create_actions_secret
+    condition: selection
+fields:
+    - 'action'
+    - 'actor'
+    - 'org'
+    - 'actor_location.country_code'
+falsepositives:
+     - This detection cloud be noisy depending on the environment. It is recommended to keep a check on the new secrets when created and validate the "actor".
+level: low