legitimate ci/cd automation that requires workflow file modifications may trigger this alert if not properly configured with the necessary permissions. review the workflow configuration and ensure the github_token or pat has the required 'workflows' permission if the modification is intentional.

t1059
t1195
t1546
github
elastic

Techniques

T1059
T1195
T1546

Sample rules

GitHub Actions Workflow Modification Blocked

source: elastic
technicques:
- T1059
- T1195
- T1546

Description

Detects when a GitHub Actions workflow attempts to create or modify workflow files in a protected branch but is blocked due to insufficient permissions. This behavior is indicative of a supply chain attack where a malicious package or compromised CI/CD pipeline attempts to inject persistent backdoor workflows into a repository.

Detection logic

from logs-github.audit-* metadata _id, _index, _version
| where
    data_stream.dataset == "github.audit" and
    event.action == "protected_branch.rejected_ref_update" and
    github.category == "protected_branch" and
    github.reasons.code == "workflow_updates" and
    match(github.reasons.message::STRING, "refusing to allow a GitHub App to create or update workflow")
| keep *