Detectionhightest
Github Push Protection Disabled
Detects if the push protection feature is disabled for an organization, enterprise, repositories or custom pattern rules.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Log Source
githubaudit
Productgithub← raw: github
Serviceaudit← raw: audit
Definition
Requirements: The audit log streaming feature must be enabled to be able to receive such logs. You can enable following the documentation here: https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-audit-log-streaming
Detection Logic
Detection Logic1 selector
detection:
selection:
action:
- 'business_secret_scanning_custom_pattern_push_protection.disabled'
- 'business_secret_scanning_push_protection.disable'
- 'business_secret_scanning_push_protection.disabled_for_new_repos'
- 'org.secret_scanning_custom_pattern_push_protection_disabled'
- 'org.secret_scanning_push_protection_disable'
- 'org.secret_scanning_push_protection_new_repos_disable'
- 'repository_secret_scanning_custom_pattern_push_protection.disabled'
condition: selectionFalse Positives
Allowed administrative activities.
MITRE ATT&CK
Tactics
Sub-techniques
Rule Metadata
Rule ID
ccd55945-badd-4bae-936b-823a735d37dd
Status
test
Level
high
Type
Detection
Created
Thu Mar 07
Author
Path
rules/application/github/audit/github_push_protection_disabled.yml
Raw Tags
attack.defense-evasionattack.t1562.001