Detectionhightest
Github Secret Scanning Feature Disabled
Detects if the secret scanning feature is disabled for an enterprise or repository.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Log Source
githubaudit
Productgithub← raw: github
Serviceaudit← raw: audit
Definition
Requirements: The audit log streaming feature must be enabled to be able to receive such logs. You can enable following the documentation here: https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-audit-log-streaming
Detection Logic
Detection Logic1 selector
detection:
selection:
action:
- 'business_secret_scanning.disable'
- 'business_secret_scanning.disabled_for_new_repos'
- 'repository_secret_scanning.disable'
- 'secret_scanning_new_repos.disable'
- 'secret_scanning.disable'
condition: selectionFalse Positives
Allowed administrative activities.
References
MITRE ATT&CK
Tactics
Sub-techniques
Rule Metadata
Rule ID
3883d9a0-fd0f-440f-afbb-445a2a799bb8
Status
test
Level
high
Type
Detection
Created
Thu Mar 07
Modified
Fri Jul 19
Author
Path
rules/application/github/audit/github_secret_scanning_feature_disabled.yml
Raw Tags
attack.defense-evasionattack.t1562.001