GitHub Secret Scanning Disabled

Detects when GitHub Secret Scanning is disabled for a repository. Adversaries may disable secret scanning to evade detection of hardcoded secrets, such as API keys or credentials, that could be used for further compromise or data exfiltration.

Rule type: eql
Rule indices:

• logs-github.audit-*

Rule Severity: low
Risk Score: 21
Runs every:
Searches indices from: now-9m
Maximum alerts per execution: ?
References:

• https://www.wiz.io/blog/shai-hulud-2-0-ongoing-supply-chain-attack
• https://trigger.dev/blog/shai-hulud-postmortem
• https://posthog.com/blog/nov-24-shai-hulud-attack-post-mortem

Tags:

• Domain: Cloud
• Use Case: Threat Detection
• Tactic: Defense Evasion
• Data Source: Github

Version: ?
Rule authors:

• Elastic

Rule license: Elastic License v2

configuration where event.dataset == "github.audit" and event.type == "change" and event.action == "repository_secret_scanning.disable"
		

Framework: MITRE ATT&CK

• Tactic:

  • Name: Defense Evasion
  • Id: TA0005
  • Reference URL: https://attack.mitre.org/tactics/TA0005/

• Technique:

  • Name: Impair Defenses
  • Id: T1562
  • Reference URL: https://attack.mitre.org/techniques/T1562/

• Sub Technique:

  • Name: Disable or Modify Tools
  • Id: T1562.001
  • Reference URL: https://attack.mitre.org/techniques/T1562/001/