Github Secret Scanning Feature Disabled

calendar Aug 12, 2024 · attack.defense-evasion attack.t1562.001  ·
Share on: linkedin copy

Detects if the secret scanning feature is disabled for an enterprise or repository.

Sigma rule (View on GitHub)

 1title: Github Secret Scanning Feature Disabled
 2id: 3883d9a0-fd0f-440f-afbb-445a2a799bb8
 3status: experimental
 4description: Detects if the secret scanning feature is disabled for an enterprise or repository.
 5references:
 6    - https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/about-secret-scanning
 7author: Muhammad Faisal (@faisalusuf)
 8date: 2024-03-07
 9modified: 2024-07-19
10tags:
11    - attack.defense-evasion
12    - attack.t1562.001
13logsource:
14    product: github
15    service: audit
16    definition: 'Requirements: The audit log streaming feature must be enabled to be able to receive such logs. You can enable following the documentation here: https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-audit-log-streaming'
17detection:
18    selection:
19        action:
20            - 'business_secret_scanning.disable'
21            - 'business_secret_scanning.disabled_for_new_repos'
22            - 'repository_secret_scanning.disable'
23            - 'secret_scanning_new_repos.disable'
24            - 'secret_scanning.disable'
25    condition: selection
26falsepositives:
27    - Allowed administrative activities.
28level: high

References

Related rules

to-top