New Rule is created.
This commit is contained in:
z00t
@@ -0,0 +1,30 @@
|
||||
title: Github New Secret Created
|
||||
id: f9405037-bc97-4eb7-baba-167dad399b83
|
||||
status: experimental
|
||||
description: Detects when a user creates action secret for the organization, environment, codespaces or repository.
|
||||
author: Muhammad Faisal
|
||||
date: 2023/01/20
|
||||
references:
|
||||
- https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#audit-log-actions
|
||||
tags:
|
||||
- attack.t1078
|
||||
- attack.t1078.004
|
||||
logsource:
|
||||
product: github
|
||||
service: audit_logs
|
||||
detection:
|
||||
selection:
|
||||
action:
|
||||
- org.create_actions_secret
|
||||
- environment.create_actions_secret
|
||||
- codespaces.create_an_org_secret
|
||||
- repo.create_actions_secret
|
||||
condition: selection
|
||||
fields:
|
||||
- 'action'
|
||||
- 'actor'
|
||||
- 'org'
|
||||
- 'actor_location.country_code'
|
||||
falsepositives:
|
||||
- This detection cloud be noisy depending on the environment. It is recommended to keep a check on the new secrets when created and validate the "actor".
|
||||
level: low
|
||||
Reference in New Issue
Block a user