frack113
32 lines
1.1 KiB
YAML
32 lines
1.1 KiB
YAML
title: Github New Secret Created
|
|
id: f9405037-bc97-4eb7-baba-167dad399b83
|
|
status: experimental
|
|
description: Detects when a user creates action secret for the organization, environment, codespaces or repository.
|
|
author: Muhammad Faisal
|
|
date: 2023/01/20
|
|
references:
|
|
- https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#audit-log-actions
|
|
tags:
|
|
- attack.t1078
|
|
- attack.t1078.004
|
|
logsource:
|
|
product: github
|
|
service: audit
|
|
detection:
|
|
selection:
|
|
operation: 'create'
|
|
action:
|
|
- 'org.create_actions_secret'
|
|
- 'environment.create_actions_secret'
|
|
- 'codespaces.create_an_org_secret'
|
|
- 'repo.create_actions_secret'
|
|
condition: selection
|
|
fields:
|
|
- 'action'
|
|
- 'actor'
|
|
- 'org'
|
|
- 'actor_location.country_code'
|
|
falsepositives:
|
|
- This detection cloud be noisy depending on the environment. It is recommended to keep a check on the new secrets when created and validate the "actor".
|
|
level: low
|