detection.wiki

Detection rules › Sigma

Github Secret Scanning Feature Disabled

Status
test
Severity
high
Log source
product github, service audit
Author
Muhammad Faisal (@faisalusuf)
Source
github.com/SigmaHQ/sigma

Detects if the secret scanning feature is disabled for an enterprise or repository.

MITRE ATT&CK coverage

TacticTechniques
Defense ImpairmentT1685 Disable or Modify Tools

Event coverage

ProviderEvent
GitHub-business-secret-scanningbusiness_secret_scanning.disable
GitHub-business-secret-scanningbusiness_secret_scanning.disabled_for_new_repos
GitHub-repository-secret-scanningrepository_secret_scanning.disable
GitHub-secret-scanningsecret_scanning.disable
GitHub-secret-scanning-new-repossecret_scanning_new_repos.disable

Rules detecting the same action

Other rules on this platform that filter on the same API call or operation.

Rule body yaml

title: Github Secret Scanning Feature Disabled
id: 3883d9a0-fd0f-440f-afbb-445a2a799bb8
status: test
description: Detects if the secret scanning feature is disabled for an enterprise or repository.
references:
    - https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/about-secret-scanning
author: Muhammad Faisal (@faisalusuf)
date: 2024-03-07
modified: 2024-07-19
tags:
    - attack.defense-impairment
    - attack.t1685
logsource:
    product: github
    service: audit
    definition: 'Requirements: The audit log streaming feature must be enabled to be able to receive such logs. You can enable following the documentation here: https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-audit-log-streaming'
detection:
    selection:
        action:
            - 'business_secret_scanning.disable'
            - 'business_secret_scanning.disabled_for_new_repos'
            - 'repository_secret_scanning.disable'
            - 'secret_scanning_new_repos.disable'
            - 'secret_scanning.disable'
    condition: selection
falsepositives:
    - Allowed administrative activities.
level: high

Stages and Predicates

Stage 0: condition

selection

Stage 1: selection

selection:
    action:
        - 'business_secret_scanning.disable'
        - 'business_secret_scanning.disabled_for_new_repos'
        - 'repository_secret_scanning.disable'
        - 'secret_scanning_new_repos.disable'
        - 'secret_scanning.disable'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
actioneq
  • business_secret_scanning.disable
  • business_secret_scanning.disabled_for_new_repos
  • repository_secret_scanning.disable
  • secret_scanning.disable
  • secret_scanning_new_repos.disable