Detectionhightest
Github High Risk Configuration Disabled
Detects when a user disables a critical security feature for an organization.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Log Source
githubaudit
Productgithub← raw: github
Serviceaudit← raw: audit
Definition
Requirements: The audit log streaming feature must be enabled to be able to receive such logs. You can enable following the documentation here: https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-audit-log-streaming
Detection Logic
Detection Logic1 selector
detection:
selection:
action:
- 'business_advanced_security.disabled_for_new_repos'
- 'business_advanced_security.disabled_for_new_user_namespace_repos'
- 'business_advanced_security.disabled'
- 'business_advanced_security.user_namespace_repos_disabled'
- 'org.advanced_security_disabled_for_new_repos'
- 'org.advanced_security_disabled_on_all_repos'
- 'org.advanced_security_policy_selected_member_disabled'
- 'org.disable_oauth_app_restrictions'
- 'org.disable_two_factor_requirement'
- 'repo.advanced_security_disabled'
condition: selectionFalse Positives
Approved administrator/owner activities.
MITRE ATT&CK
Rule Metadata
Rule ID
8622c92d-c00e-463c-b09d-fd06166f6794
Status
test
Level
high
Type
Detection
Created
Sun Jan 29
Modified
Mon Jul 22
Author
Path
rules/application/github/audit/github_disable_high_risk_configuration.yml
Raw Tags
attack.credential-accessattack.defense-evasionattack.persistenceattack.t1556