authorized self-hosted github actions runner.

t1195
github
elastic

Techniques

T1195

Sample rules

New GitHub Self Hosted Action Runner

source: elastic
technicques:
- T1195

Description

This rule detects the creation of a self-hosted Github runner from a first time seen user.name in the last 5 days. Adversaries may abuse self-hosted runners to execute workflow jobs on customer infrastructure.

Detection logic

event.dataset:"github.audit" and
    event.category:"configuration" and
    event.action: (
        "repo.register_self_hosted_runner" or
        "org.register_self_hosted_runner" or
        "enterprise.register_self_hosted_runner"
    )