LoFP
/
t1213
t1213
Title
Tags
a self-hosted runner is automatically removed from github if it has not connected to github actions for more than 14 days.
t1078
t1078.004
t1213
t1213.003
t1526
github
sigma
allowed self-hosted runners changes in the environment.
t1078
t1078.004
t1213
t1213.003
t1526
github
sigma
an ephemeral self-hosted runner is automatically removed from github if it has not connected to github actions for more than 1 day.
t1078
t1078.004
t1213
t1213.003
t1526
github
sigma
if the user is a developer or automation engineer, validate if this behavior was for testing purposes.
t1213
azure
elastic
legitimate non-interactive access to sharepoint online via the microsoft authentication broker may occur in enterprise environments, especially with mdm solutions or automated scripts. however, this should be explicitly allowed and monitored.
t1213
azure
elastic
legitimate user activity.
t1021
t1021.004
t1082
t1098
t1213
t1213.003
t1562
t1562.001
t1591
t1591.004
bitbucket
sigma
snapshot exports may be performed by administrators, automation pipelines, or data engineering workflows. confirm whether the export was expected and initiated by an authorized user, role, or automation process. snapshot exports by unfamiliar principals or from unexpected networks should be investigated. if known behavior causes false positives, it can be exempted from the rule.
t1213
aws
elastic
some enterprise mdm or brokered flows may use refresh tokens legitimately (especially with hybrid/azure ad joined devices). automated scripts for legitimate tasks (e.g., reporting, backups) might use `python-requests`, though this should be explicitly allowed.
t1213
azure
elastic
validate the actor if permitted to access the repo.
t1098
t1098.001
t1098.003
t1213
t1213.003
github
sigma
validate the deletion activity is permitted. the \"actor\" field need to be validated.
t1213
t1213.003
github
sigma
validate the multifactor authentication changes.
t1098
t1098.001
t1098.003
t1213
t1213.003
github
sigma
LoFP
/
t1213