Outdated Dependency Or Vulnerability Alert Disabled
Dependabot performs a scan to detect insecure dependencies, and sends Dependabot alerts. This rule detects when an organization owner disables Dependabot alerts private repositories or Dependabot security updates for all repositories.
Sigma rule (View on GitHub)
1title: Outdated Dependency Or Vulnerability Alert Disabled
2id: 34e1c7d4-0cd5-419d-9f1b-1dad3f61018d
3status: test
4description: |
5 Dependabot performs a scan to detect insecure dependencies, and sends Dependabot alerts.
6 This rule detects when an organization owner disables Dependabot alerts private repositories or Dependabot security updates for all repositories.
7author: Muhammad Faisal (@faisalusuf)
8date: 2023/01/27
9references:
10 - https://docs.github.com/en/code-security/dependabot/dependabot-alerts/about-dependabot-alerts
11 - https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization
12tags:
13 - attack.initial_access
14 - attack.t1195.001
15logsource:
16 product: github
17 service: audit
18 definition: 'Requirements: The audit log streaming feature must be enabled to be able to receive such logs. You can enable following the documentation here: https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-audit-log-streaming'
19detection:
20 selection:
21 action:
22 - 'dependabot_alerts_new_repos.disable'
23 - 'dependabot_alerts.disable'
24 - 'dependabot_security_updates_new_repos.disable'
25 - 'dependabot_security_updates.disable'
26 - 'repository_vulnerability_alerts.disable'
27 condition: selection
28falsepositives:
29 - Approved changes by the Organization owner. Please validate the 'actor' if authorized to make the changes.
30level: high
References
Related rules
- Github New Secret Created
- Github Self Hosted Runner Changes Detected
- OWASSRF Exploitation Attempt Using Public POC - Proxy
- OWASSRF Exploitation Attempt Using Public POC - Webserver
- Potential OWASSRF Exploitation Attempt - Proxy