Nasreddine Bencherchali
95793d73bd
chore: update workflows and add quality of life updates and automation to the repository --------- Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
35 lines
1.5 KiB
YAML
35 lines
1.5 KiB
YAML
title: Github New Secret Created
|
|
id: f9405037-bc97-4eb7-baba-167dad399b83
|
|
status: experimental
|
|
description: Detects when a user creates action secret for the organization, environment, codespaces or repository.
|
|
author: Muhammad Faisal
|
|
date: 2023/01/20
|
|
references:
|
|
- https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#audit-log-actions
|
|
tags:
|
|
- attack.defense_evasion
|
|
- attack.persistence
|
|
- attack.privilege_escalation
|
|
- attack.initial_access
|
|
- attack.t1078.004
|
|
logsource:
|
|
product: github
|
|
service: audit
|
|
definition: 'Requirements: The audit log streaming feature must be enabled to be able to receive such logs. You can enable following the documentation here: https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-audit-log-streaming'
|
|
detection:
|
|
selection:
|
|
action:
|
|
- 'org.create_actions_secret'
|
|
- 'environment.create_actions_secret'
|
|
- 'codespaces.create_an_org_secret'
|
|
- 'repo.create_actions_secret'
|
|
condition: selection
|
|
fields:
|
|
- 'action'
|
|
- 'actor'
|
|
- 'org'
|
|
- 'actor_location.country_code'
|
|
falsepositives:
|
|
- This detection cloud be noisy depending on the environment. It is recommended to keep a check on the new secrets when created and validate the "actor".
|
|
level: low
|