Github Self Hosted Runner Changes Detected

A self-hosted runner is a system that you deploy and manage to execute jobs from GitHub Actions on GitHub.com. This rule detects changes to self-hosted runners configurations in the environment. The self-hosted runner configuration changes once detected, it should be validated from GitHub UI because the log entry may not provide full context.

Sigma rule (View on GitHub)

 1title: Github Self Hosted Runner Changes Detected
 2id: f8ed0e8f-7438-4b79-85eb-f358ef2fbebd
 3status: test
 4description: |
 5    A self-hosted runner is a system that you deploy and manage to execute jobs from GitHub Actions on GitHub.com.
 6    This rule detects changes to self-hosted runners configurations in the environment. The self-hosted runner configuration changes once detected,
 7    it should be validated from GitHub UI because the log entry may not provide full context.    
 8author: Muhammad Faisal
 9date: 2023/01/27
10references:
11    - https://docs.github.com/en/actions/hosting-your-own-runners/about-self-hosted-runners#about-self-hosted-runners
12    - https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#search-based-on-operation
13tags:
14    - attack.impact
15    - attack.discovery
16    - attack.collection
17    - attack.defense_evasion
18    - attack.persistence
19    - attack.privilege_escalation
20    - attack.initial_access
21    - attack.t1526
22    - attack.t1213.003
23    - attack.t1078.004
24logsource:
25    product: github
26    service: audit
27    definition: 'Requirements: The audit log streaming feature must be enabled to be able to receive such logs. You can enable following the documentation here: https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-audit-log-streaming'
28detection:
29    selection:
30        action:
31            - 'org.remove_self_hosted_runner'
32            - 'org.runner_group_created'
33            - 'org.runner_group_removed'
34            - 'org.runner_group_updated'
35            - 'org.runner_group_runners_added'
36            - 'org.runner_group_runner_removed'
37            - 'org.runner_group_runners_updated'
38            - 'repo.register_self_hosted_runner'
39            - 'repo.remove_self_hosted_runner'
40    condition: selection
41fields:
42    - 'action'
43    - 'actor'
44    - 'org'
45    - 'actor_location.country_code'
46    - 'transport_protocol_name'
47    - 'repository'
48    - 'repo'
49    - 'repository_public'
50    - '@timestamp'
51falsepositives:
52    - Allowed self-hosted runners changes in the environment.
53    - A self-hosted runner is automatically removed from GitHub if it has not connected to GitHub Actions for more than 14 days.
54    - An ephemeral self-hosted runner is automatically removed from GitHub if it has not connected to GitHub Actions for more than 1 day.
55level: low

References

Related rules

to-top