Detectionlowtest

Github Push Protection Bypass Detected

Detects when a user bypasses the push protection on a secret detected by secret scanning.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Muhammad FaisalCreated Thu Mar 0702cf536a-cf21-4876-8842-4159c8aee3ccapplication

Log Source

githubaudit

Productgithub← raw: github

Serviceaudit← raw: audit

Definition

Requirements: The audit log streaming feature must be enabled to be able to receive such logs. You can enable following the documentation here: https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-audit-log-streaming

Detection Logic

detection:
    selection:
        action|contains: 'secret_scanning_push_protection.bypass'
    condition: selection

False Positives

Allowed administrative activities.

References

MITRE ATT&CK

Tactics

TA0005 · Defense Evasion

Sub-techniques

T1562.001 · Disable or Modify Tools

Rule Metadata

Rule ID

02cf536a-cf21-4876-8842-4159c8aee3cc

Status

test

Level

low

Type

Detection

Created

Thu Mar 07

Author

Muhammad Faisal

Path

rules/application/github/audit/github_push_protection_bypass_detected.yml

Raw Tags

attack.defense-evasionattack.t1562.001

View on GitHub