allowed administrative activities.

Techniques

Sample rules

Github Secret Scanning Feature Disabled

source: sigma
technicques:
- t1562
- t1562.001

Description

Detects if the secret scanning feature is disabled for an enterprise or repository.

Detection logic

condition: selection
selection:
  action:
  - business_secret_scanning.disable
  - business_secret_scanning.disabled_for_new_repos
  - repository_secret_scanning.disable
  - secret_scanning.disable

Github Push Protection Disabled

source: sigma
technicques:
- t1562
- t1562.001

Description

Detects if the push protection feature is disabled for an organization, enterprise, repositories or custom pattern rules.

Detection logic

condition: selection
selection:
  action:
  - business_secret_scanning_custom_pattern_push_protection.disabled
  - business_secret_scanning_push_protection.disable
  - business_secret_scanning_push_protection.disabled_for_new_repos
  - org.secret_scanning_custom_pattern_push_protection_disabled
  - org.secret_scanning_push_protection_disable
  - org.secret_scanning_push_protection_new_repos_disable
  - repository_secret_scanning_custom_pattern_push_protection.disabled

Github Push Protection Bypass Detected

source: sigma
technicques:
- t1562
- t1562.001

Description

Detects when a user bypasses the push protection on a secret detected by secret scanning.

Detection logic

condition: selection
selection:
  action|contains: secret_scanning_push_protection.bypass