Detectionmediumtest
Github SSH Certificate Configuration Changed
Detects when changes are made to the SSH certificate configuration of the organization.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Log Source
githubaudit
Productgithub← raw: github
Serviceaudit← raw: audit
Definition
Requirements: The audit log streaming feature must be enabled to be able to receive such logs. You can enable following the documentation here: https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-audit-log-streaming
Detection Logic
Detection Logic1 selector
detection:
selection:
action:
- 'ssh_certificate_authority.create' # An SSH certificate authority for an organization or enterprise was created.
- 'ssh_certificate_requirement.disable' # The requirement for members to use SSH certificates to access an organization resources was disabled.
condition: selectionFalse Positives
Allowed administrative activities.
MITRE ATT&CK
Rule Metadata
Rule ID
2f575940-d85e-4ddc-af13-17dad6f1a0ef
Status
test
Level
medium
Type
Detection
Created
Mon Jul 29
Author
Path
rules/application/github/audit/github_ssh_certificate_config_changed.yml
Raw Tags
attack.initial-accessattack.defense-evasionattack.persistenceattack.privilege-escalationattack.t1078.004