LoFP / allowed self-hosted runners changes in the environment.

Techniques

• t1078
• t1078.004
• t1213
• t1213.003
• t1526

Sample rules

Github Self Hosted Runner Changes Detected

• source: sigma
• technicques:
  • t1078
  • t1078.004
  • t1213
  • t1213.003
  • t1526

Description

A self-hosted runner is a system that you deploy and manage to execute jobs from GitHub Actions on GitHub.com. This rule detects changes to self-hosted runners configurations in the environment. The self-hosted runner configuration changes once detected, it should be validated from GitHub UI because the log entry may not provide full context.

Detection logic

condition: selection
selection:
  action:
  - org.remove_self_hosted_runner
  - org.runner_group_created
  - org.runner_group_removed
  - org.runner_group_runner_removed
  - org.runner_group_runners_added
  - org.runner_group_runners_updated
  - org.runner_group_updated
  - repo.register_self_hosted_runner
  - repo.remove_self_hosted_runner