Github Self Hosted Runner Changes Detected
A self-hosted runner is a system that you deploy and manage to execute jobs from GitHub Actions on GitHub.com. This rule detects changes to self-hosted runners configurations in the environment. The self-hosted runner configuration changes once detected, it should be validated from GitHub UI because the log entry may not provide full context.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Definition
Requirements: The audit log streaming feature must be enabled to be able to receive such logs. You can enable following the documentation here: https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-audit-log-streaming
detection:
selection:
action:
- 'org.remove_self_hosted_runner'
- 'org.runner_group_created'
- 'org.runner_group_removed'
- 'org.runner_group_runner_removed'
- 'org.runner_group_runners_added'
- 'org.runner_group_runners_updated'
- 'org.runner_group_updated'
- 'repo.register_self_hosted_runner'
- 'repo.remove_self_hosted_runner'
condition: selectionAllowed self-hosted runners changes in the environment.
A self-hosted runner is automatically removed from GitHub if it has not connected to GitHub Actions for more than 14 days.
An ephemeral self-hosted runner is automatically removed from GitHub if it has not connected to GitHub Actions for more than 1 day.