security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge PR #4738 from @nasbench - Small fixes and metadata updates

Browse Source 
new: HackTool - CobaltStrike Malleable Profile Patterns - Proxy
remove: CobaltStrike Malformed UAs in Malleable Profiles
remove: CobaltStrike Malleable (OCSP) Profile
remove: CobaltStrike Malleable Amazon Browsing Traffic Profile
remove: CobaltStrike Malleable OneDrive Browsing Traffic Profile
remove: iOS Implant URL Pattern
update: Chafer Malware URL Pattern - Reduce level to high and move to ET folder
This commit is contained in:
Nasreddine Bencherchali
2024-02-26 22:01:53 +01:00
committed by GitHub
parent 49bd839ecf
commit 8af1ab8cac
32 changed files with 120 additions and 137 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/cloud/github/github_self_hosted_runner_changes_detected.yml
+3 -13
View File
@@ -5,7 +5,7 @@ description: |
A self-hosted runner is a system that you deploy and manage to execute jobs from GitHub Actions on GitHub.com.
This rule detects changes to self-hosted runners configurations in the environment. The self-hosted runner configuration changes once detected,
it should be validated from GitHub UI because the log entry may not provide full context.
author: Muhammad Faisal
author: Muhammad Faisal (@faisalusuf)
date: 2023/01/27
references:
- https://docs.github.com/en/actions/hosting-your-own-runners/about-self-hosted-runners#about-self-hosted-runners
@@ -31,23 +31,13 @@ detection:
- 'org.remove_self_hosted_runner'
- 'org.runner_group_created'
- 'org.runner_group_removed'
- 'org.runner_group_updated'
- 'org.runner_group_runners_added'
- 'org.runner_group_runner_removed'
- 'org.runner_group_runners_added'
- 'org.runner_group_runners_updated'
- 'org.runner_group_updated'
- 'repo.register_self_hosted_runner'
- 'repo.remove_self_hosted_runner'
condition: selection
fields:
- 'action'
- 'actor'
- 'org'
- 'actor_location.country_code'
- 'transport_protocol_name'
- 'repository'
- 'repo'
- 'repository_public'
- '@timestamp'
falsepositives:
- Allowed self-hosted runners changes in the environment.
- A self-hosted runner is automatically removed from GitHub if it has not connected to GitHub Actions for more than 14 days.