From f4085ad8730166fdadc7a820516110c484577e4c Mon Sep 17 00:00:00 2001
From: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Date: Wed, 10 Dec 2025 10:55:47 -0500
Subject: [PATCH] [Rule Tuning] New GitHub Self Hosted Action Runner (#5436)

Fixes #5435
---
 ...ial_access_github_register_self_hosted_runner.toml | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/rules/integrations/github/initial_access_github_register_self_hosted_runner.toml b/rules/integrations/github/initial_access_github_register_self_hosted_runner.toml
index 9a0f61d24..5b6539b91 100644
--- a/rules/integrations/github/initial_access_github_register_self_hosted_runner.toml
+++ b/rules/integrations/github/initial_access_github_register_self_hosted_runner.toml
@@ -2,7 +2,7 @@
 creation_date = "2025/11/28"
 integration = ["github"]
 maturity = "production"
-updated_date = "2025/11/28"
+updated_date = "2025/12/09"
 
 [rule]
 author = ["Elastic"]
@@ -46,6 +46,7 @@ Adversaries who gain the ability to modify or trigger workflows in a linked GitH
 references = [
     "https://www.elastic.co/blog/shai-hulud-worm-npm-supply-chain-compromise",
     "https://socket.dev/blog/shai-hulud-strikes-again-v2",
+    "https://www.wiz.io/blog/shai-hulud-2-0-ongoing-supply-chain-attack"
 ]
 risk_score = 47
 rule_id = "40c34c8a-b0bc-43bc-83aa-d2b76bf129e1"
@@ -61,7 +62,13 @@ timestamp_override = "event.ingested"
 type = "new_terms"
 
 query = '''
-event.dataset:"github.audit" and event.category:"configuration" and event.action:"enterprise.register_self_hosted_runner"
+event.dataset:"github.audit" and
+    event.category:"configuration" and
+    event.action: (
+        "repo.register_self_hosted_runner" or
+        "org.register_self_hosted_runner" or
+        "enterprise.register_self_hosted_runner"
+    )
 '''
 
 [[rule.threat]]