Detectionlowexperimental

GitHub Repository Pages Site Changed to Public

Detects when a GitHub Pages site of a repository is made public. This usually is part of a publishing process but could indicate or lead to potential unauthorized exposure of sensitive information or code.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Ivan SaakovCreated Sat Oct 180c46d4f4-a2bf-4104-9597-8d653fc2bb55application

Log Source

githubaudit

Productgithub← raw: github

Serviceaudit← raw: audit

Detection Logic

detection:
    selection:
        action: 'repo.pages_public'
    condition: selection

False Positives

Legitimate publishing of repository pages by authorized users

References

MITRE ATT&CK

Tactics

TA0009 · Collection TA0010 · Exfiltration

Sub-techniques

T1567.001 · Exfiltration to Code Repository

Rule Metadata

Rule ID

0c46d4f4-a2bf-4104-9597-8d653fc2bb55

Status

experimental

Level

low

Type

Detection

Created

Sat Oct 18

Author

Ivan Saakov

Path

rules/application/github/audit/github_pages_site_changed_to_public.yml

Raw Tags

attack.collectionattack.exfiltrationattack.t1567.001

View on GitHub