Outdated Dependency Or Vulnerability Alert Disabled

Dependabot performs a scan to detect insecure dependencies, and sends Dependabot alerts. This rule detects when an organization owner disables Dependabot alerts private repositories or Dependabot security updates for all repositories.

Sigma rule (View on GitHub)

 1title: Outdated Dependency Or Vulnerability Alert Disabled
 2id: 34e1c7d4-0cd5-419d-9f1b-1dad3f61018d
 3status: test
 4description: |
 5    Dependabot performs a scan to detect insecure dependencies, and sends Dependabot alerts.
 6    This rule detects when an organization owner disables Dependabot alerts private repositories or Dependabot security updates for all repositories.    
 7author: Muhammad Faisal
 8date: 2023/01/27
 9references:
10    - https://docs.github.com/en/code-security/dependabot/dependabot-alerts/about-dependabot-alerts
11    - https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization
12tags:
13    - attack.initial_access
14    - attack.t1195.001
15logsource:
16    product: github
17    service: audit
18    definition: 'Requirements: The audit log streaming feature must be enabled to be able to receive such logs. You can enable following the documentation here: https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-audit-log-streaming'
19detection:
20    selection:
21        action:
22            - 'dependabot_alerts.disable'
23            - 'dependabot_alerts_new_repos.disable'
24            - 'dependabot_security_updates.disable'
25            - 'dependabot_security_updates_new_repos.disable'
26            - 'repository_vulnerability_alerts.disable'
27    condition: selection
28fields:
29    - 'action'
30    - 'actor'
31    - 'org'
32    - 'actor_location.country_code'
33    - 'transport_protocol_name'
34    - 'repository'
35    - 'repo'
36    - 'repository_public'
37    - '@timestamp'
38falsepositives:
39    - Approved changes by the Organization owner. Please validate the 'actor' if authorized to make the changes.
40level: high

References

Related rules

to-top