Techniques
Sample rules
Github Secret Scanning Feature Disabled
- source: sigma
- technicques:
- t1562
- t1562.001
Description
Detects if the secret scanning feature is disabled for an enterprise or repository.
Detection logic
condition: selection
selection:
action:
- business_secret_scanning.disable
- business_secret_scanning.disabled_for_new_repos
- repository_secret_scanning.disable
- secret_scanning.disable
Github Push Protection Disabled
- source: sigma
- technicques:
- t1562
- t1562.001
Description
Detects if the push protection feature is disabled for an organization, enterprise, repositories or custom pattern rules.
Detection logic
condition: selection
selection:
action:
- business_secret_scanning_custom_pattern_push_protection.disabled
- business_secret_scanning_push_protection.disable
- business_secret_scanning_push_protection.disabled_for_new_repos
- org.secret_scanning_custom_pattern_push_protection_disabled
- org.secret_scanning_push_protection_disable
- org.secret_scanning_push_protection_new_repos_disable
- repository_secret_scanning_custom_pattern_push_protection.disabled
Github Push Protection Bypass Detected
- source: sigma
- technicques:
- t1562
- t1562.001
Description
Detects when a user bypasses the push protection on a secret detected by secret scanning.
Detection logic
condition: selection
selection:
action|contains: secret_scanning_push_protection.bypass