bug fix

Author: Patrick Bareiss

detections/cloud/github_enterprise_created_self_hosted_runner.yml

@@ -19,7 +19,7 @@ search: '`github_enterprise` action=enterprise.register_self_hosted_runner
   | stats count min(_time) as firstTime max(_time) as lastTime by actor, actor_id, actor_is_bot, actor_location.country_code, business, business_id, user_agent, action
   | eval user=actor
   | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` 
-  | `github_enterprise_disabled_ip_allow_list_filter`'
+  | `github_enterprise_created_self_hosted_runner_filter`'
 how_to_implement: You must ingest GitHub Enterprise logs using Audit log streaming as described in this documentation https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-streaming-to-splunk using a Splunk HTTP Event Collector.
 known_false_positives: unknown
 references:

detections/cloud/github_enterprise_disabled_ip_allow_list.yml renamed to detections/cloud/github_enterprise_disable_ip_allow_list.yml

@@ -19,7 +19,7 @@ search: '`github_enterprise` action=ip_allow_list.disable
   | stats count min(_time) as firstTime max(_time) as lastTime by actor, actor_id, actor_is_bot, actor_location.country_code, business, business_id, user_agent, user_id, action
   | eval user=actor
   | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` 
-  | `github_enterprise_disabled_ip_allow_list_filter`'
+  | `github_enterprise_disable_ip_allow_list_filter`'
 how_to_implement: You must ingest GitHub Enterprise logs using Audit log streaming as described in this documentation https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-streaming-to-splunk using a Splunk HTTP Event Collector.
 known_false_positives: unknown
 references: