bug fixes

Patrick Bareiss · Patrick Bareiss · commit 3c9145b8ddcc · 2025-02-21T09:21:33.000+01:00
diff --git a/detections/cloud/github_enterprise_delete_branch_ruleset.yml b/detections/cloud/github_enterprise_delete_branch_ruleset.yml
@@ -48,6 +48,7 @@ tags:
   asset_type: GitHub
   mitre_attack_id:
   - T1562.001
+  - T1195
   product:
   - Splunk Enterprise
   - Splunk Enterprise Security
diff --git a/detections/cloud/github_enterprise_disable_2fa_requirement.yml b/detections/cloud/github_enterprise_disable_2fa_requirement.yml
@@ -48,6 +48,7 @@ tags:
   asset_type: GitHub
   mitre_attack_id:
   - T1562.001
+  - T1195
   product:
   - Splunk Enterprise
   - Splunk Enterprise Security
diff --git a/detections/cloud/github_enterprise_disable_audit_log_event_stream.yml b/detections/cloud/github_enterprise_disable_audit_log_event_stream.yml
@@ -48,6 +48,7 @@ tags:
   asset_type: GitHub
   mitre_attack_id:
   - T1562.008
+  - T1195
   product:
   - Splunk Enterprise
   - Splunk Enterprise Security
diff --git a/detections/cloud/github_enterprise_disable_classic_branch_protection_rule.yml b/detections/cloud/github_enterprise_disable_classic_branch_protection_rule.yml
@@ -48,6 +48,7 @@ tags:
   asset_type: GitHub
   mitre_attack_id:
   - T1562.001
+  - T1195
   product:
   - Splunk Enterprise
   - Splunk Enterprise Security
diff --git a/detections/cloud/github_enterprise_disable_dependabot.yml b/detections/cloud/github_enterprise_disable_dependabot.yml
@@ -46,6 +46,7 @@ tags:
   asset_type: GitHub
   mitre_attack_id:
   - T1562.001
+  - T1195
   product:
   - Splunk Enterprise
   - Splunk Enterprise Security
diff --git a/detections/cloud/github_enterprise_disable_ip_allow_list.yml b/detections/cloud/github_enterprise_disable_ip_allow_list.yml
@@ -47,6 +47,7 @@ tags:
   asset_type: GitHub
   mitre_attack_id:
   - T1562.001
+  - T1195
   product:
   - Splunk Enterprise
   - Splunk Enterprise Security
diff --git a/detections/cloud/github_enterprise_modify_audit_log_event_stream.yml b/detections/cloud/github_enterprise_modify_audit_log_event_stream.yml
@@ -48,6 +48,7 @@ tags:
   asset_type: GitHub
   mitre_attack_id:
   - T1562.008
+  - T1195
   product:
   - Splunk Enterprise
   - Splunk Enterprise Security
diff --git a/detections/cloud/github_enterprise_pause_audit_log_event_stream.yml b/detections/cloud/github_enterprise_pause_audit_log_event_stream.yml
@@ -48,6 +48,7 @@ tags:
   asset_type: GitHub
   mitre_attack_id:
   - T1562.008
+  - T1195
   product:
   - Splunk Enterprise
   - Splunk Enterprise Security
diff --git a/detections/cloud/github_enterprise_register_self_hosted_runner.yml b/detections/cloud/github_enterprise_register_self_hosted_runner.yml
@@ -1,4 +1,4 @@
-name: GitHub Enterprise Created Self Hosted Runner
+name: GitHub Enterprise Register Self Hosted Runner
 id: b27685a2-8826-4123-ab78-2d9d0d419ed0
 version: 1
 date: '2025-01-20'
@@ -19,7 +19,7 @@ search: '`github_enterprise` action=enterprise.register_self_hosted_runner
   | stats count min(_time) as firstTime max(_time) as lastTime by actor, actor_id, actor_is_bot, actor_location.country_code, business, business_id, user_agent, action
   | eval user=actor
   | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` 
-  | `github_enterprise_created_self_hosted_runner_filter`'
+  | `github_enterprise_register_self_hosted_runner_filter`'
 how_to_implement: You must ingest GitHub Enterprise logs using Audit log streaming as described in this documentation https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-streaming-to-splunk using a Splunk HTTP Event Collector.
 known_false_positives: unknown
 references:
@@ -47,6 +47,7 @@ tags:
   asset_type: GitHub
   mitre_attack_id:
   - T1562.001
+  - T1195
   product:
   - Splunk Enterprise
   - Splunk Enterprise Security
diff --git a/detections/cloud/github_enterprise_remove_organization.yml b/detections/cloud/github_enterprise_remove_organization.yml
@@ -46,6 +46,7 @@ tags:
   asset_type: GitHub
   mitre_attack_id:
   - T1485
+  - T1195
   product:
   - Splunk Enterprise
   - Splunk Enterprise Security
diff --git a/detections/cloud/github_enterprise_repository_archived.yml b/detections/cloud/github_enterprise_repository_archived.yml
@@ -49,6 +49,7 @@ tags:
   asset_type: GitHub
   mitre_attack_id:
   - T1485
+  - T1195
   product:
   - Splunk Enterprise
   - Splunk Enterprise Security
diff --git a/detections/cloud/github_enterprise_repository_deleted.yml b/detections/cloud/github_enterprise_repository_deleted.yml
@@ -46,6 +46,7 @@ tags:
   asset_type: GitHub
   mitre_attack_id:
   - T1485
+  - T1195
   product:
   - Splunk Enterprise
   - Splunk Enterprise Security
diff --git a/detections/cloud/github_organizations_delete_branch_ruleset.yml b/detections/cloud/github_organizations_delete_branch_ruleset.yml
@@ -48,6 +48,7 @@ tags:
   asset_type: GitHub
   mitre_attack_id:
   - T1562.001
+  - T1195
   product:
   - Splunk Enterprise
   - Splunk Enterprise Security
diff --git a/detections/cloud/github_organizations_disable_2fa_requirement.yml b/detections/cloud/github_organizations_disable_2fa_requirement.yml
@@ -47,6 +47,7 @@ tags:
   asset_type: GitHub
   mitre_attack_id:
   - T1562.001
+  - T1195
   product:
   - Splunk Enterprise
   - Splunk Enterprise Security
diff --git a/detections/cloud/github_organizations_disable_classic_branch_protection_rule.yml b/detections/cloud/github_organizations_disable_classic_branch_protection_rule.yml
@@ -48,6 +48,7 @@ tags:
   asset_type: GitHub
   mitre_attack_id:
   - T1562.001
+  - T1195
   product:
   - Splunk Enterprise
   - Splunk Enterprise Security
diff --git a/detections/cloud/github_organizations_disable_dependabot.yml b/detections/cloud/github_organizations_disable_dependabot.yml
@@ -46,6 +46,7 @@ tags:
   asset_type: GitHub
   mitre_attack_id:
   - T1562.001
+  - T1195
   product:
   - Splunk Enterprise
   - Splunk Enterprise Security
diff --git a/detections/cloud/github_organizations_repository_archived.yml b/detections/cloud/github_organizations_repository_archived.yml
@@ -49,6 +49,7 @@ tags:
   asset_type: GitHub
   mitre_attack_id:
   - T1485
+  - T1195
   product:
   - Splunk Enterprise
   - Splunk Enterprise Security
diff --git a/detections/cloud/github_organizations_repository_deleted.yml b/detections/cloud/github_organizations_repository_deleted.yml
@@ -49,6 +49,7 @@ tags:
   asset_type: GitHub
   mitre_attack_id:
   - T1485
+  - T1195
   product:
   - Splunk Enterprise
   - Splunk Enterprise Security
diff --git a/detections/deprecated/github_actions_disable_security_workflow.yml b/detections/deprecated/github_actions_disable_security_workflow.yml
@@ -13,7 +13,7 @@ description: The following analytic detects the disabling of a security workflow
   allow the attacker to introduce and persist undetected malicious code within the
   repository, potentially compromising the integrity and security of the codebase.
 data_source:
-- GitHub
+- GitHub Webhooks
 search: '`github` workflow_run.event=push OR workflow_run.event=pull_request | stats
   values(workflow_run.name) as workflow_run.name by workflow_run.head_commit.id workflow_run.event
   workflow_run.head_branch workflow_run.head_commit.author.email workflow_run.head_commit.author.name
diff --git a/detections/deprecated/github_commit_changes_in_master.yml b/detections/deprecated/github_commit_changes_in_master.yml
@@ -13,7 +13,7 @@ description: The following analytic detects direct commits or pushes to the mast
   this could lead to unauthorized code execution, security vulnerabilities, or compromised
   project integrity.
 data_source:
-- GitHub
+- GitHub Webhooks
 search: '`github` branches{}.name = main OR branches{}.name = master |  stats count
   min(_time) as firstTime max(_time) as lastTime by commit.commit.author.email commit.author.login
   commit.commit.message repository.pushed_at commit.commit.committer.date repository.full_name
diff --git a/detections/deprecated/github_commit_in_develop.yml b/detections/deprecated/github_commit_in_develop.yml
@@ -13,7 +13,7 @@ description: The following analytic detects commits pushed directly to the 'deve
   to unauthorized code modifications, introducing vulnerabilities or backdoors into
   the codebase, and compromising the integrity of the development lifecycle.
 data_source:
-- GitHub
+- GitHub Webhooks
 search: '`github` branches{}.name = main OR branches{}.name = develop |  stats count
   min(_time) as firstTime max(_time) as lastTime  by commit.author.html_url commit.commit.author.email
   commit.author.login commit.commit.message repository.pushed_at commit.commit.committer.date
diff --git a/detections/deprecated/github_dependabot_alert.yml b/detections/deprecated/github_dependabot_alert.yml
@@ -13,7 +13,7 @@ description: The following analytic identifies the creation of GitHub Dependabot
   malicious, these vulnerabilities could be exploited by attackers to gain unauthorized
   access or cause breaches, leading to potential data loss or system compromise.
 data_source:
-- GitHub
+- GitHub Webhooks
 search: '`github` alert.id=* action=create | rename repository.full_name as repository,
   repository.html_url as repository_url sender.login as user | stats min(_time) as
   firstTime max(_time) as lastTime by action alert.affected_package_name alert.affected_range
diff --git a/detections/deprecated/github_pull_request_from_unknown_user.yml b/detections/deprecated/github_pull_request_from_unknown_user.yml
@@ -14,7 +14,7 @@ description: The following analytic detects pull requests from unknown users on
   reviewing the author's name, repository, head reference, and commit message, and
   investigating any related artifacts and processes.
 data_source:
-- GitHub
+- GitHub Webhooks
 search: '`github` check_suite.pull_requests{}.id=* | stats count by check_suite.head_commit.author.name
   repository.full_name check_suite.pull_requests{}.head.ref check_suite.head_commit.message
   | rename check_suite.head_commit.author.name as user repository.full_name as repository
