LoFP / this detection cloud be noisy depending on the environment. it is recommended to keep a check on the new secrets when created and validate the \"actor\".

Techniques

• t1078
• t1078.004

Sample rules

Github New Secret Created

• source: sigma
• technicques:
  • t1078
  • t1078.004

Description

Detects when a user creates action secret for the organization, environment, codespaces or repository.

Detection logic

condition: selection
selection:
  action:
  - codespaces.create_an_org_secret
  - environment.create_actions_secret
  - org.create_actions_secret
  - repo.create_actions_secret