Techniques
Sample rules
New GitHub Self Hosted Action Runner
- source: elastic
- technicques:
- T1195
Description
This rule detects the creation of a self-hosted Github runner from a first time seen user.name in the last 5 days. Adversaries may abuse self-hosted runners to execute workflow jobs on customer infrastructure.
Detection logic
event.dataset:"github.audit" and event.category:"configuration" and event.action:"enterprise.register_self_hosted_runner"