Github Push Protection Disabled

calendar Mar 6, 2024 · attack.defense_evasion attack.t1562.001  ·
Share on: linkedin copy

Detects if the push protection feature is disabled for an organization, enterprise, repositories or custom pattern rules.

Sigma rule (View on GitHub)

 1title: Github Push Protection Disabled
 2id: ccd55945-badd-4bae-936b-823a735d37dd
 3status: experimental
 4description: Detects if the push protection feature is disabled for an organization, enterprise, repositories or custom pattern rules.
 5references:
 6    - https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/push-protection-for-repositories-and-organizations
 7    - https://thehackernews.com/2024/03/github-rolls-out-default-secret.html
 8author: Muhammad Faisal (@faisalusuf)
 9date: 2024/03/07
10tags:
11    - attack.defense_evasion
12    - attack.t1562.001
13logsource:
14    product: github
15    service: audit
16    definition: 'Requirements: The audit log streaming feature must be enabled to be able to receive such logs. You can enable following the documentation here: https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-audit-log-streaming'
17detection:
18    selection:
19        action:
20            - 'business_secret_scanning_custom_pattern_push_protection.disabled'
21            - 'business_secret_scanning_push_protection.disable'
22            - 'business_secret_scanning_push_protection.disabled_for_new_repos'
23            - 'org.secret_scanning_custom_pattern_push_protection_disabled'
24            - 'org.secret_scanning_push_protection_disable'
25            - 'org.secret_scanning_push_protection_new_repos_disable'
26            - 'repository_secret_scanning_custom_pattern_push_protection.disabled'
27    condition: selection
28falsepositives:
29    - Allowed administrative activities.
30level: high

References

Related rules

to-top