GitHub Protected Branch Settings Changed
This rule detects setting modifications for protected branches of a GitHub repository. Branch protection rules can be used to enforce certain workflows or requirements before a contributor can push changes to a branch in your repository. Changes to these protected branch settings should be investigated and verified as legitimate activity. Unauthorized changes could be used to lower your organization's security posture and leave you exposed for future attacks.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/08/29"
3integration = ["github"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2023/08/30"
8
9[rule]
10author = ["Elastic"]
11description = """
12This rule detects setting modifications for protected branches of a GitHub repository. Branch protection rules
13can be used to enforce certain workflows or requirements before a contributor can push changes to a branch in
14your repository. Changes to these protected branch settings should be investigated and verified as legitimate
15activity. Unauthorized changes could be used to lower your organization's security posture and leave you exposed
16for future attacks.
17"""
18from = "now-9m"
19index = ["logs-github.audit-*"]
20language = "eql"
21license = "Elastic License v2"
22name = "GitHub Protected Branch Settings Changed"
23risk_score = 47
24rule_id = "07639887-da3a-4fbf-9532-8ce748ff8c50"
25severity = "medium"
26tags = ["Domain: Cloud", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Github"]
27timestamp_override = "event.ingested"
28type = "eql"
29query = '''
30configuration where event.dataset == "github.audit"
31 and github.category == "protected_branch" and event.type == "change"
32'''
33
34[[rule.threat]]
35framework = "MITRE ATT&CK"
36[[rule.threat.technique]]
37id = "T1562"
38name = "Impair Defenses"
39reference = "https://attack.mitre.org/techniques/T1562/"
40[[rule.threat.technique.subtechnique]]
41id = "T1562.001"
42name = "Disable or Modify Tools"
43reference = "https://attack.mitre.org/techniques/T1562/001/"
44
45
46
47[rule.threat.tactic]
48id = "TA0005"
49name = "Defense Evasion"
50reference = "https://attack.mitre.org/tactics/TA0005/"
Related rules
- Azure Blob Permissions Modification
- Spike in Successful Logon Events from a Source IP
- Agent Spoofing - Mismatched Agent ID
- Agent Spoofing - Multiple Hosts Using Same Agent
- Application Removed from Blocklist in Google Workspace