[New Rule] GitHub Actions Workflow Injection Blocked #5431
Description
Attempts to capture when failed attempts to inject a new workflow into the main branch of a repository occur. This is specific to workflow creations/updates only, meaning during the CI/CD job, attempts were made to modify or create a new workflow. This was done by Shai-Hulud infections to create backdoor YAML files (.github/workflows/discussion.yaml).
from logs-github.audit-* metadata _id, _index, _version
| where
data_stream.dataset == "github.audit" and
event.action == "protected_branch.rejected_ref_update" and
github.branch == "refs/heads/main" and
github.category == "protected_branch" and
github.reasons.code == "workflow_updates" and
match(github.reasons.message::STRING, "refusing to allow a GitHub App to create or update workflow")NOTE: github.reasons.message is a text field and not compatible with EQL for leveraging string comparison functions. Additionally, since the substring we are matching on contains space characters, attempting to wrap these in * wildcards results in documents matching that are not related. As a result, we leveraged ESQL for this rule.
