Detectionmediumtest

Github Fork Private Repositories Setting Enabled/Cleared

Detects when the policy allowing forks of private and internal repositories is changed (enabled or cleared).

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Romain GaillardCreated Mon Jul 2969b3bd1e-b38a-462f-9a23-fbdbf63d2294application

Log Source

githubaudit

Productgithub← raw: github

Serviceaudit← raw: audit

Definition

Requirements: The audit log streaming feature must be enabled to be able to receive such logs. You can enable following the documentation here: https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-audit-log-streaming

Detection Logic

detection:
    selection:
        action:
            - 'private_repository_forking.clear' # An enterprise owner cleared the policy setting for allowing forks of private and internal repositories, for a repository, organization or enterprise.
            - 'private_repository_forking.enable' # An enterprise owner enabled the policy setting for allowing forks of private and internal repositories, for a repository, organization or enterprise. Private and internal repositories are always allowed to be forked.
    condition: selection

False Positives

Allowed administrative activities.

References

Resolving title…

docs.github.com

MITRE ATT&CK

Tactics

TA0003 · Persistence TA0010 · Exfiltration

Techniques

T1020 · Automated Exfiltration T1537 · Transfer Data to Cloud Account

Rule Metadata

Rule ID