GitHub detections improvement #3278
Conversation
Nterl0k - T1219 - RMM Detection for Registry locations.
…urity_content into github_detections_improvement
| @@ -1,15 +1,12 @@ | |||
| name: GitHub | |||
There was a problem hiding this comment.
@P4T12ICK : This data source GitHub Webhooks is not used by any detection, is there a reason to add this? I think better to delete it or update this for the deprecate content since the whole data source and ingesting is clearer that way
| - field: user | ||
| type: user | ||
| score: 25 | ||
| threat_objects: [] |
There was a problem hiding this comment.
@P4T12ICK : Can we attribute something from the SPL to a threat object? maybe user_agent ? This could be applicable for all detections
| especially if created by unfamiliar users or in unusual contexts. | ||
| data_source: | ||
| - GitHub Enterprise Audit Logs | ||
| search: '`github_enterprise` action=enterprise.register_self_hosted_runner |
There was a problem hiding this comment.
based on this action, should we update the name of the detection to
GitHub Enterprise Register Self Hosted Runner
|
Can we also consider mapping some of the applicable detections to T1195 : https://attack.mitre.org/techniques/T1195/ that way we don't lose coverage |
|
Can we also update the Deprecated detection mapping sheet. Currently using this to keep track of replacement detections, if any until we have that deprecated mapping yaml |
New GitHub detections:
These detections are splitted into GitHub Enterprise and GitHub Organizations. Depending when a user collects GitHub logs on a GitHub Enterprise level or a GitHub Organizations level, the way how logs are collected are completely different and the corresponding log parsing rules. Therefore, there are cases in which the same detection is developed for both ways.