GitHub Protected Branch Settings Changed | Elastic Security Solution [8.8]

IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.

› › ›

« GitHub Owner Role Granted To User GitHub Repository Deleted »

GitHub Protected Branch Settings Changededit

This rule detects setting modifications for protected branches of a GitHub repository. Branch protection rules can be used to enforce certain workflows or requirements before a contributor can push changes to a branch in your repository. Changes to these protected branch settings should be investigated and verified as legitimate activity. Unauthorized changes could be used to lower your organization’s security posture and leave you exposed for future attacks.

Rule type: eql

Rule indices:

logs-github.audit-*

Severity: medium

Risk score: 47

Runs every: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References: None

Tags:

Domain: Cloud
Use Case: Threat Detection
Tactic: Defense Evasion
Data Source: Github

Version: 1

Rule authors:

Elastic

Rule license: Elastic License v2

Rule queryedit

configuration where event.dataset == "github.audit"
  and github.category == "protected_branch" and event.type == "change"

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Defense Evasion
- ID: TA0005
- Reference URL: https://attack.mitre.org/tactics/TA0005/
Technique:
- Name: Impair Defenses
- ID: T1562
- Reference URL: https://attack.mitre.org/techniques/T1562/
Sub-technique:
- Name: Disable or Modify Tools
- ID: T1562.001
- Reference URL: https://attack.mitre.org/techniques/T1562/001/

« GitHub Owner Role Granted To User GitHub Repository Deleted »