This alert gets triggered when two-factor authentication is disabled for any members, billing managers, and outside collaborators in an organization. Two-factor authentication (2FA) is an important security feature that requires users to provide two forms of identification when logging in to a system or service. Impact If an adversary is able to disable two-factor authentication (2FA), it can have serious consequences for the security of the organization. Here are a few examples of how an adversary could use disabled 2FA to harm the organization: Gaining unauthorized access: Without 2FA, an attacker could potentially gain unauthorized access to sensitive data or resources. Stealing credentials: An attacker could use the stolen credentials to gain access to other systems or services that the organization uses. Launching further attacks: With unauthorized access, an attacker could launch further attacks, such as data exfiltration, privilege escalation or malware injection Mitigation To mitigate the impact of Two factor authentication being disabled in GitHub by an adversary, you should take the following steps: Change your GitHub account password immediately. Enable Two Factor Authentication on your account again. Review your repository for any unauthorized changes or access. Notify GitHub security team and report the incident. Review the authorized applications and revoke access for any that are not recognized. Review your system and network logs for any suspicious activity Consider using a threat detection or incident response service to help identify and respond to security incidents. Educate yourself and your team about the importance of Two Factor Authentication and other security best practices. MITRE Tactic: TA0005 MITRE Technique: T1562

This alert gets triggered when the policy for workflows on private repository forks is changed. Impact The adversary may be able to: Access sensitive information: If the adversary is able to change the private repository fork policy, they may be able to gain access to private repositories and sensitive information that is stored within them. Create malicious forks: The adversary can create malicious forks of private repositories, which may contain malicious code or other harmful elements. Perform other harmful actions: The adversary may use this access to perform other harmful actions, such as modifying or deleting existing code, creating new users, or exfiltrating sensitive data. Mitigation Revoke the adversary's access, secure the affected repositories, monitor for malicious activity, implement access controls, regularly backup your data. It is important to review the private repository fork policy and ensure that only authorized individuals have the ability to modify it. It's recommended to notify the repository owners of the platform, and also to keep a copy of the original repository fork policy, so that in case of any issue, it can be restored. MITRE Tactic: TA0003 MITRE Technique: T1098

This alert gets triggered when an organization changes between the Standard Terms of Service and the Corporate Terms of Service. Impact If the adversary is able to change the terms of service, they may be able to mislead users into accepting new terms that are more favorable to the adversary. Mitigation It is important to review the terms of service and ensure that only authorized individuals have the ability to modify them. revoke the adversary's access, secure the affected repositories, monitor for malicious activity, implement access controls, regularly backup your data. It's recommended to inform the users of the platform, and also to keep a copy of the original terms of service, so that in case of any issue, it can be restored. MITRE Tactic: TA0003 MITRE Technique: T1098

This alert gets triggered when an organization's SAML provider settings are updated. Impact If the adversary is able to update the SAML provider settings, they may be able to gain access to all of the organization's repositories, including any private repositories that contain sensitive information. An adversary may use this access to bypass security controls, such as access controls, that are in place to prevent unauthorized access to the organization's resources. Mitigation It is important to review the SAML provider settings and ensure that only authorized individuals have the ability to modify them. Further, revoke the adversary's access, secure the affected repositories, monitor for malicious activity, implement access controls, regularly backup your data. MITRE Tactic: TA0003 MITRE Technique: T1037

This alert gets triggered when the create repository permission is changed for organization members. Impact If an adversary is able to change the "create repository" permission in Github, they could potentially use this access to create new repositories and inject malicious code or perform other harmful actions. This could have a significant impact on the security and integrity of the code in the organization's repositories, as well as the users and systems that use that code. Mitigation Revoke the adversary's access, secure the affected repositories, monitor for malicious activity, implement access controls and regularly backup your data. It is also important to review the permissions of all users and ensure that only authorized individuals have the ability to create new repositories. MITRE Tactic: TA0003 MITRE Technique: T1098

This alert gets triggered when a person's role is changed from owner to member or member to owner. Impact The adversary may be able to: Gain access to private repositories and sensitive information: If the adversary is able to add themselves to the organization as a member, they will gain access to all of the organization's repositories, including any private repositories that contain sensitive information. Inject malicious code: If the adversary is able to add themselves as a member to an organization, they could potentially inject malicious code into existing repositories or create new repositories with malicious code. Perform other harmful actions: The adversary may use this access to perform other harmful actions, such as modifying or deleting existing code, creating new users, or exfiltrating sensitive data. Mitigation To mitigate the impact of an adversary updating the membership of a Github organization, it is important to take the following steps: Revoke the adversary's access: Remove the adversary's access to the organization's systems and resources as soon as possible. Secure the affected repositories: Check the organization's repositories for any malicious code or other signs of tampering and remove any malicious code immediately. Monitor for malicious activity: Monitor the organization's systems and network for any signs of malicious activity, such as unusual network traffic or unauthorized access. Implement access controls: Implement strict access controls for the organization membership, ensure that only authorized individuals have the ability to add or remove members. MITRE Tactic: TA0003 MITRE Technique: T1037

This alert gets triggered when the name of the default branch for new repositories is changed in the organization. Impact If an adversary is able to change the default branch for new repositories, they could potentially use this access to inject malicious code or perform other harmful actions. This could potentially impact the security and integrity of the code in those repositories, as well as the users and systems that use that code. Mitigation There are several ways to mitigate the impact of an adversary changing the default branch for new repositories, including the following: Revoke the adversary's access: If the adversary is an employee or contractor who has been terminated, revoke their access to the organization's systems and resources as soon as possible. Secure the affected repositories: Check the default branch of new repositories for any malicious code or other signs of tampering and remove any malicious code immediately. Monitor for malicious activity: Monitor the organization's systems and network for any signs of malicious activity, such as unusual network traffic or unauthorized access. Implement access controls: Implement strict access controls for new repositories to ensure that only authorized individuals have the ability to create and modify repositories. Implement a security incident response plan: Having a plan in place for responding to security incidents can help the organization quickly and effectively respond to a security incident. Regularly backup your data and codebase. It's also important to conduct a security review of the entire infrastructure and identify any other potential vulnerabilities that need to be addressed. MITRE Tactic: TA0003 MITRE Technique: T1098

This alert gets triggered when a GitHub Actions secret is updated. Impact The impact of an action secret being updated in GitHub by an adversary could have serious consequences. Depending on the action secret, the adversary could gain access to sensitive data or systems, manipulate data or systems, or gain access to restricted services or data. In addition, the adversary could impersonate legitimate users, and use the action secret to bypass authentication or authorization. All of these outcomes could cause disruption or damage to the organization. Mitigation To mitigate the risk posed by an adversary updating an action secret in GitHub, organizations should implement a comprehensive security program to protect their systems and data. This program should include measures such as: Implementing multi-factor authentication for all users whenever possible. Restricting access to sensitive data and systems to only those users who need it. Regularly monitoring and auditing access to systems and data. Encrypting all sensitive data. Creating a secure backup and disaster recovery plan. Training users on security best practices and procedures. Keeping software and systems up to date with the latest security patches. Installing and maintaining a reliable antivirus and firewall solution MITRE Tactic: TA0003 MITRE Technique: T1037

This alert gets triggered when a blocked user is unblocked. Impact An adversary unblocking a user on GitHub could have a number of potential impacts, depending on the specific user and their role within the organization. Some possible impacts could include: The reintroduction of a compromised or malicious user into the system, which could allow them to continue their activities and potentially steal sensitive information, launch attacks on other systems, or disrupt normal operation. Difficulty in identifying and blocking malicious users, as they may be able to evade detection by being unblocked. Difficulty in maintaining compliance with security and regulatory requirements, as unblocking a user may violate policies or procedures that are in place to protect sensitive information. Difficulty in maintaining the integrity of the system, as unblocked user could potentially have access to sensitive resources, and can perform actions that can cause data loss or data breaches. Difficulty in maintaining the accountability and traceability of actions performed within the system, as the unblocked user can conceal their identity and actions. Mitigation Determine the root cause of the user being unblocked and take steps to prevent it from happening again in the future. This may include increasing security measures, implementing monitoring and alerting, and performing regular backups of important data. If an organization suspects that an attacker may have breached its systems, it should take steps to secure its systems and data, and investigate the attack. MITRE Tactic: TA0001 MITRE Technique: T1078

This alert gets triggered when the retention period for GitHub Actions artifacts and logs is changed. Impact An adversary changing the logs retention settings on GitHub could have a number of potential impacts, depending on the specific changes made and how the logs are used. Some possible impacts could include: Loss of important data that could be used for forensic investigation, auditing, or compliance purposes. Difficulty in troubleshooting or identifying issues with the system, as older logs may be required for context. Inability to detect and investigate security incidents, as logs are a key source of information for incident response. Difficulty in meeting regulatory or compliance requirements, as many regulations have specific retention requirements for certain types of data. Increased risk of data breaches, as older logs may contain sensitive information that is no longer being properly protected. Mitigation Determine the root cause of the logs retention being changed, and take steps to prevent it from happening again in the future. This may include increasing security measures, implementing monitoring and alerting, and performing regular backups of important data. If an organization suspects that an attacker may have breached its systems, it should take steps to secure its systems and data, and investigate the attack. MITRE Tactic: TA0003 MITRE Technique: T1098

This alert gets triggered when the setting for requiring approvals for workflows from public forks is changed for an organization. Impact Changing public fork setting in GitHub may affect the ability for other users to fork a repository, which can have an impact on community engagement, contributions and the overall development of the project. Mitigation Here are some steps you can take to mitigate the impact of changing the public fork setting in GitHub: Communicate the change: If you plan to change the public fork setting, be sure to communicate the change to the community and explain the reasoning behind it. Provide alternative ways to contribute: If you disable the public fork setting, provide alternative ways for others to contribute to the project, such as through pull requests or issue reports. Encourage forks: If the public fork setting is enabled, encourage forks and contributions by making it easy for others to fork the repository and submit pull requests. Listen to feedback: Listen to feedback from the community and be open to making changes based on their input. Provide transparency: Keep the community informed about the development of the project by providing regular updates and being transparent about the decision-making process. Review forks: Review forks that are created and consider merging in changes that are beneficial to the project. Consider the impact on the project: Consider the impact that disabling public forks will have on the project. If the project is active and relied on by others, it may be better to leave public forks enable. Use forks settings: Use forks settings to limit the number of forks for specific users or teams, rather than disabling forks altogether. By following these steps, you can help to mitigate the impact of changing the public fork setting in GitHub and continue to foster a positive community around the project. MITRE Tactic: TA0003 MITRE Technique: T1098

This alert gets triggered when the runner application is updated. Impact An adversary updating a runner application on GitHub could have a number of potential impacts, depending on the specific changes made to the application and how it is used. Some possible impacts could include: The introduction of malicious code into the application, which could be used to steal sensitive information, launch attacks on other systems, or disrupt normal operation. The alteration of the application's behavior, which could lead to unintended consequences such as data loss, or disruption of automated processes that rely on the runner. The insertion of backdoors or other security vulnerabilities, which could allow the adversary to maintain access to the system or steal sensitive information. Misuse of the application to launch DDoS or other cyber attacks against other systems. Misuse of the application to mine cryptocurrency or perform other malicious activities. Mitigation Determine the root cause of the runner application being updated, and take steps to prevent it from happening again in the future. This may include increasing security measures, implementing monitoring and alerting, and performing regular backups of important data. If an organization suspects that an attacker may have breached its systems, it should take steps to secure its systems and data, and investigate the attack. MITRE Tactic: TA0003 MITRE Technique: T1037

This alert gets triggered when the runner application is stopped. Impact An adversary stopping a runner application on GitHub could have a variety of impacts, depending on the specific application and how it is used. Some possible impacts could include: Disruption of automated processes that rely on the runner, such as continuous integration/continuous deployment (CI/CD) pipelines Difficulty for developers to test and debug code changes Delays in the release of new features or bug fixes Loss of data or information that was being processed by the runner Increased security risks if the runner is used for tasks such as vulnerability scanning or monitoring for malicious activity. Mitigation Determine the root cause of the runner application being stopped, and take steps to prevent it from happening again in the future. This may include increasing security measures, implementing monitoring and alerting, and performing regular backups of important data. MITRE Tactic: TA0003 MITRE Technique: T1053

This alert gets triggered when the runner application is started. Impact If an adversary starts a runner application in GitHub, they may be able to gain access to the systems associated with that runner, which could lead to data breaches, unauthorized access to sensitive information, and other security issues. They could also potentially use this access to perform actions such as modifying code, injecting malware, or stealing sensitive data. Additionally, starting a runner application could also potentially disrupt legitimate builds and deployments, causing additional problems for the organization or project. Mitigation Ensure that only authorized users have access to start runner applications, and that their access is regularly reviewed and revoked if necessary. Regularly check for any changes in the runner application and validate the status of the runner, ensuring that only authorized runner are running. MITRE Tactic: TA0003 MITRE Technique: T1053

This alert gets triggered when a runner group's list of members is updated. Impact If an adversary updates a runner group in GitHub, they may be able to gain access to the systems associated with the runners in that group, which could lead to data breaches, unauthorized access to sensitive information, and other security issues. They could also potentially use this access to perform actions such as modifying code, injecting malware, or stealing sensitive data. Additionally, updating a runner group could also potentially disrupt legitimate builds and deployments, causing additional problems for the organization or project. Mitigation Ensure that only authorized users have access to update runner groups, and that their access is regularly reviewed and revoked if necessary. Regularly check for any changes in the runner group and validate the membership of the runners in the group, ensuring that only authorized runners are members of the group. MITRE Tactic: TA0003 MITRE Technique: T1037

This alert gets triggered when self-hosted runner gets removed from a group. Impact If an adversary able to remove a self-hosted runner from a group, it could potentially allow them to remove the runner's access to the group's code repository and any associated resources. This could lead to data breaches, unauthorized access to sensitive information, and other security issues. Additionally, the adversary could use this access to perform actions such as modifying code, injecting malware, or stealing sensitive data. It is important to monitor GitHub for any suspicious activity and to have proper security measures in place to detect and prevent such incidents. It's also important to have a plan in place to respond quickly and effectively to a security incident. Mitigation Ensure that only authorized users have access to self hosted runner group, and that their access is regularly reviewed and revoked if necessary. Keep logs of all activities, including requests and responses, and audit them regularly to detect any suspicious activities. MITRE Tactic: TA0003 MITRE Technique: T1098

This alert gets triggered when a self-hosted runner is added to a group. Impact If an adversary adds a Self-hosted runner to a group in GitHub, it could potentially allow them to run malicious code on the systems associated with that runner. This could lead to data breaches, unauthorized access to sensitive information, and other security issues. Additionally, the adversary could use this access to perform actions such as modifying code, injecting malware, or stealing sensitive data. It is important to monitor GitHub for any suspicious activity and to have proper security measures in place to detect and prevent such incidents. It's also important to have a plan in place to respond quickly and effectively to a security incident. Mitigation Ensure that only authorized users have access to add new runners to groups, and that their access is regularly reviewed and revoked if necessary. Regularly check for new additions to the group and validate the membership of the runner in the group, ensuring that only authorized runners are members of the group. MITRE Tactic: TA0003 MITRE Technique: T1078

This alert gets triggered when a self-hosted runner group is updated. Impact If an adversary updates the Self-hosted runner group in GitHub, it could potentially allow them to run malicious code on the systems associated with that group. This could lead to data breaches, unauthorized access to sensitive information, and other security issues. It is important to monitor GitHub for any suspicious activity and to have proper security measures in place to detect and prevent such incidents. It's also important to have a plan in place to respond quickly and effectively to a security incident. Mitigation Ensure that only authorized users have access to update the Self-hosted runner group, and that their access is regularly reviewed and revoked if necessary. Ensure that all software associated with the Self-hosted runner group is kept up-to-date with the latest security patches. MITRE Tactic: TA0003 MITRE Technique: T1037

This alert gets triggered when a self-hosted runner group is removed. Impact Self-hosted runners are often used to run automated workflows, such as continuous integration and delivery (CI/CD) pipelines. Removing a self-hosted runner group can disrupt these workflows and hinder the ability of team members to deploy code and release new features. Removing a self-hosted runner group can create a security vulnerability as the group is used to authenticate and authorize access to GitHub resources. Without the group, an attacker may be able to gain unauthorized access to sensitive information. Mitigation Determine how the adversary was able to remove the self-hosted runner group and take steps to prevent it from happening again. Having a incident response plan in place will help you to respond effectively and quickly in case of any such incident in future. MITRE Tactic: TA0003 MITRE Technique: T1098

This alert gets triggered when a self-hosted runner group is created. Impact The creation of a self-hosted runner group by an adversary could create a security vulnerability, as the group is used to manage and authenticate access to GitHub resources. The adversary may use the access to steal sensitive data, such as credentials and confidential information, which could lead to data breaches. Mitigation Determine how the adversary was able to create the self-hosted runner group and take steps to prevent it from happening again. Remove the self-hosted runner group created by the adversary as soon as possible to prevent unauthorized access to resources and sensitive information. MITRE Tactic: TA0005 MITRE Technique: T1578

This alert gets triggered when a self-hosted runner is removed. Impact Self-hosted runners are often used to run automated workflows, such as continuous integration and delivery (CI/CD) pipelines. Removing a self-hosted runner can disrupt these workflows and hinder the ability of team members to deploy code and release new features. Mitigation Determine how the adversary was able to remove the self-hosted runner and take steps to prevent it from happening again. Set up a new self-hosted runner as soon as possible to regain access to automated workflows and scale up the development process. MITRE Tactic: TA0003 MITRE Technique: T1098

This alert gets triggered when an outside collaborator is removed from an organization or when two-factor authentication is required in an organization and an outside collaborator does not use 2FA or disables 2FA. Impact Without an outside collaborator, the organization may be unable to access and use resources that the outside collaborator had been given access to. Difficulty in completing projects: The removal of an outside collaborator could impede the ability to complete projects that were being worked on by the outside collaborator. Mitigation Determine how the adversary was able to remove the outside collaborator and take steps to prevent it from happening again. Conduct a security risk assessment, to identify vulnerabilities and threats that can be used by the attacker to remove the outside collaborator. Re-add the collaborator as soon as possible to regain access to resources and collaborate on projects. MITRE Tactic: TA0003 MITRE Technique: T1098

This alert gets triggered when an a billing manager is removed from an organization or when two-factor authentication is required in an organization and a billing manager doesn't use 2FA or disables 2FA. Impact Without a billing manager, the organization may be unable to access and use GitHub resources, such as private repositories and advanced features. Further, The organization may incur financial losses if they are unable to manage and pay for their GitHub subscriptions and usage. Mitigation Determine how the adversary was able to remove the billing manager and take steps to prevent it from happening again. Assign a new billing manager as soon as possible to regain access to GitHub resources and manage the organization's subscriptions and usage. MITRE Tactic: TA0003 MITRE Technique: T1098

This alert gets triggered when a GitHub Actions secret is removed. Impact If an adversary has removed an action secret in GitHub, it could lead to: Disruption of automated workflows: Action secrets are often used to authenticate and authorize automated workflows, such as continuous integration and delivery (CI/CD) pipelines. Removing an action secret can disrupt these workflows and hinder the ability of team members to deploy code and release new features. Security vulnerability: Removing an action secret can create a security vulnerability, as the secret is used to authenticate and authorize access to GitHub resources. Without the secret, an attacker may be able to gain unauthorized access to sensitive information. Mitigation To mitigate the impact of this situation, you can take the following steps: Identify the root cause: Determine how the adversary was able to remove the action secret and take steps to prevent it from happening again. Conduct a Security Risk Assessment: Conduct a security risk assessment, to identify vulnerabilities and threats that can be used by the attacker to remove the action secret. Rotate the secret: create a new action secret and rotate them regularly as a best practice for security. MITRE Tactic: TA0003 MITRE Technique: T1098

This alert gets triggered when a new self-hosted runner is registered. Impact If an adversary is able to compromise a self-hosted runner, they could potentially have access to the resources and permissions associated with the runner. This could include access to sensitive data, the ability to execute code, or the ability to disrupt CI/CD pipelines. It is important to secure self-hosted runners by properly configuring access controls, monitoring for unusual activity, and keeping the runner's software and dependencies up-to-date. Additionally, it is a best practice to use a separate, dedicated machine for running self-hosted runners, rather than using a machine that also runs other services. Mitigation Here are some steps you can take to mitigate the risks associated with self-hosted runners: Implement proper access controls: Limit access to self-hosted runners to only authorized users and use strong authentication methods, such as multi-factor authentication. Regularly update software: Keep the operating system and all software on the runner up-to-date to ensure that any security vulnerabilities are patched. Use a dedicated machine: Use a separate, dedicated machine for running self-hosted runners, rather than using a machine that also runs other services. Monitor for unusual activity: Use monitoring tools to detect and alert on any unusual activity on the runner, such as unusual network traffic or failed login attempts. MITRE Tactic: TA0005 MITRE Technique: T1578

This alert gets triggered when an OAuth App access to your organization is granted. Impact If an adversary has requested access to an OAuth App in GitHub, it could have several impacts on your organization: Data breaches: The adversary may use the access to steal sensitive data, such as credentials and confidential information, which could lead to data breaches. Reputation damage: The adversary may use the access to carry out malicious activities, such as spreading malware or conducting phishing campaigns, which could damage the reputation of your organization. Disruption of workflows: The adversary may use the access to disrupt workflows and hinder the ability of team members to access GitHub repositories and resources. Mitigation To mitigate the impact of this situation, you may determine how the adversary was able to request access to the OAuth App and take steps to prevent it from happening again. Review and implement security measures to protect your organization from malicious actors such as multi-factor authentication, security information and event management (SIEM), endpoint protection platform (EPP) and regular security audits. MITRE Tactic: TA0001 MITRE Technique: T1190

This alert gets triggered when previously approved OAuth App's access to your organization is disabled. Impact If an adversary has denied access to the authentication app in GitHub, it could have several impacts on your organization: Disruption of workflows: Denying access to the authentication app can disrupt workflows and hinder the ability of team members to access GitHub repositories and resources. Limited collaboration: Without access to GitHub, team members may be unable to collaborate effectively on projects and tasks. Loss of data: Denying access to GitHub may result in the loss of important data, such as code, documentation, and project management information. Mitigation To mitigate the impact of this situation, you can take the following steps: Monitor for suspicious activity: Keep an eye out for any suspicious activity on your organization's accounts and take appropriate action if you notice anything unusual. Conduct a Security Risk Assessment: Conduct a security risk assessment, to identify vulnerabilities and threats that can be used by the attacker to deny access to the authentication app. Train your employee: Regularly train your employees on identifying and preventing phishing and social engineering attacks, so that they can be more aware of potential security threats. MITRE Tactic: TA0005 MITRE Technique: T1562

This alert gets triggered when two-factor authentication is enabled for all members, billing managers, and outside collaborators in an organization. Two-factor authentication (2FA) is an important security feature that requires users to provide two forms of identification when logging in to a system or service. The first form of identification is typically a password, and the second form of identification is usually a code sent to the user's phone or email address. Impact If an adversary is able to disable two-factor authentication (2FA), it can have serious consequences for the security of the organization. Here are a few examples of how an adversary could use disabled 2FA to harm the organization: Gaining unauthorized access: Without 2FA, an attacker could potentially gain unauthorized access to sensitive data or resources. Stealing credentials: An attacker could use the stolen credentials to gain access to other systems or services that the organization uses. Launching further attacks: With unauthorized access, an attacker could launch further attacks, such as data exfiltration, privilege escalation or malware injection. Mitigation There are several steps you can take to mitigate the impact of a situation where an adversary has enabled two-factor authentication (2FA) after disabling it: Identify the root cause: Determine how the adversary was able to enable 2FA and take steps to prevent it from happening again. Review security logs: Review security logs to determine when and how 2FA was enabled and by whom. Have a incident response plan in place: Having a incident response plan in place will help you to respond effectively and quickly in case of any such incident in future. MITRE Tactic: TA0005 MITRE Technique: T1562

This alert gets triggered when member's team creation permission is disabled. Impact If an adversary has disabled the permission for creating member teams, it could have a significant impact on the organization. This would prevent any new teams from being created, which could severely limit collaboration and communication within the organization. It could also prevent new projects or initiatives from being started, as teams are often necessary for organizing and executing work. Additionally, if the adversary has also disabled other permissions related to team management, it could further impede the ability of existing teams to function effectively. Depending on the severity of the attack and the organization's response, this could cause significant disruptions to business operations and potentially lead to financial loss. Mitigation There are several steps you can take to mitigate the impact of a situation where an adversary has disabled the ability to create new teams within your organization: Identify the root cause: Determine how the adversary was able to disable the team creation permission and take steps to prevent it from happening again. Restore permissions: If possible, restore the team creation permission as soon as possible to minimize disruption to your organization. Monitor for suspicious activity: Keep an eye out for any suspicious activity on your organization's accounts and take appropriate action if you notice anything unusual. MITRE Tactic: TA0005 MITRE Technique: T1562

This alert gets triggered when an owner enables OAuth App access restrictions for your organization. OAuth (Open Authorization) is a protocol that allows external applications to access a user's resources without the need for the user to share their credentials. Access restriction controls are an important feature of OAuth, as they allow organizations to control which external applications are able to access their resources. Impact If an adversary is able to disable OAuth access restriction controls, it could have serious consequences for the security of the organization like Gaining access to sensitive data, Performing actions on behalf of the organization etc. Mitigation To mitigate the risk of OAuth access restriction controls being disabled by an adversary, it's important to implement strong access controls, regularly review and monitor OAuth app access, and use OAuth management tools. Additionally, It's important to follow security best practices when using OAuth, such as regularly reviewing and monitoring app access, keeping all software up-to-date, and verifying the authenticity of any apps you use. Have a incident response plan in place, in case an incident occurs, to quickly identify, isolate and remediate any security breaches. MITRE Tactic: TA0005 MITRE Technique: T1562

This alert gets triggered when a GitHub Actions secret is created for an organization. Impact GitHub Actions are a powerful tool for automating software development workflows, but they also come with certain security risks. One of the most significant risks is the potential for an adversary to create a secret in a GitHub Actions workflow. Secrets are encrypted environment variables that are used to store sensitive information, such as access keys or tokens. Mitigation It's important to be aware of the risk of secrets being created by an adversary, and to take steps to mitigate that risk. This includes implementing strong access controls, regularly reviewing and monitoring secrets, and using secrets management tools like Hashicorp's Vault or AWS Secrets Manager. Additionally, it's important to follow security best practices when using GitHub Actions, such as regularly reviewing and monitoring workflows, keeping all software up-to-date, and verifying the authenticity of any actions you use. Additionally, you can use threat modeling techniques and check if there's a dependency on that specific action and any potential risks it poses. MITRE Tactic: TA0004 MITRE Technique: T1134

This alert gets triggered when an organization invitation has been revoked. Impact If an organization invitation is revoked by an adversary in GitHub, the impact could be significant. The adversary may be trying to disrupt the organization's communication and collaboration, and may have access to sensitive information or resources. The revoked invitation could also be used as a tactic to gain access to the organization's resources, or to disrupt the work of a specific member or team within the organization. It is important for the organization to immediately investigate the revocation and take steps to secure any sensitive information and protect against further malicious activity. Additionally, it's important to keep the team informed and to have a incident response plan in place to mitigate the impact and respond to the situation. Mitigation If an organization's invitation to Github is revoked by an adversary, the organization can take steps to mitigate the impact on their operations. These steps may include: Developing and implementing a plan for alternative source code management tools such as Gitlab, Bitbucket, etc. Using backup systems or services that are not controlled by the adversary, such as local Git repositories. Reviewing the incident and identifying any vulnerabilities that may have been exploited, and taking steps to address them. Documenting the incident and reporting it to relevant authorities, if applicable. MITRE Tactic: TA0040 MITRE Technique: T1531

This alert gets triggered when an GitHub Advanced Security features are disabled for repositories owned by the organization. GitHub Advanced Security is a set of features that help organizations to secure their code and protect against security vulnerabilities. When an enterprise owner prevents these features from being enabled, the organization may be at a higher risk of security breaches. Impact When an enterprise owner prevents these features from being enabled, the organization may be at a higher risk of security breaches. Here are a few examples of how Advanced Security can help to protect an organization: Code scanning: This feature automatically scans code in the repository for known vulnerabilities, such as SQL injection or cross-site scripting (XSS) attacks. If any vulnerabilities are found, GitHub will notify the repository maintainers and provide guidance on how to fix the issues. Secret scanning: This feature scans for and helps to protect against accidental leaks of sensitive information, such as passwords or private keys, in a repository. Dependency graph: This feature provides visibility into the dependencies of a project, including any known vulnerabilities in those dependencies. This can help developers to identify and fix vulnerabilities before they are exploited by attackers. Mitigation Without these features enabled, an enterprise will likely have to rely on other means to identify vulnerabilities. This can be difficult and time-consuming, and it may increase the risk that vulnerabilities will go unnoticed and be exploited by attackers. It's not just the owner of the organization who might suffer but also its end-users as well as client. The security of the software product is also important for the end-users as well as clients. It's better to be proactive than reactive. MITRE Tactic: TA0005 MITRE Technique: T1562

This alert gets triggered when an GitHub Advanced Security features are enabled for repositories owned by the organization. Impact An insider threat can cover the traces by disabling and then re-enabling the GitHub advanced security features. Mitigation Verify if some insider threat intentionally disabled and then re-enabled the advanced security in order to cover the traces. MITRE Tactic: TA0004 MITRE Technique: T1078

This alert gets triggered when a user is blocked from accessing the organization's repositories. It might be an adversary masquerading as a user and trying to access some confidential data in the repositories. Impact It might be an adversary masquerading as a user and trying to access some confidential data in the repositories. Mitigation Verify that the users getting blocked should be legitimate and investigate further why the block was happened based on the privileges granted. MITRE Tactic: TA0001 MITRE Technique: T1078

This alert gets triggered when an export of the organization audit log is created. Impact The export of an organization's audit log by an adversary can have serious consequences for the security of the organization. Audit logs are a critical component of security because they provide a record of all activity that takes place on a system or network. Mitigation It's important to note that in order to prevent export of audit logs, it is important to have controls in place to prevent unauthorized access to sensitive data. This includes having a robust access control system, implementing encryption, and limiting access to audit logs to authorized personnel only. Additionally, regular monitoring, backup and disaster recovery planning are important parts of any security strategy. MITRE Tactic: TA0010 MITRE Technique: T1567

A removed member should be inspected and verified as legitimate. Impact An adversary will want to remove an organization member to revoke access from a user and disrupt normal operations. Mitigation Verify that the remove operation and the user performing it were legitimate. MITRE Tactic: TA0040 MITRE Technique: T1531

A new Billing Manager that was added should be inspected and verified as legitimate. Impact An adversary will want to add himself as an organizational manager to get access to the repositories and code base. Mitigation Verify with the owner that the the added manager is legitimate and remove him if not. MITRE Tactic: TA0003 MITRE Technique: T1078

A new member that was added should be inspected and verified as legitimate. Impact An adversary will want to add himself as an organization member to get access to their repositories and code base. Mitigation Verify with the owner that the the added user is legitimate and remove him if not. MITRE Tactic: TA0003 MITRE Technique: T1078

A new member that was invited should be inspected and verified as legitimate. Impact An adversary will want to add himself as an organization member to get access to their repositories and code base. Mitigation Verify with the owner that the the invited user is legitimate and cancel the invitation if not. MITRE Tactic: TA0003 MITRE Technique: T1078

A GitHub Repository page site visibility was changed to public. Public repositories expose all there content freely on Github. Impact If the code wasn't meant to be public, it's is considered a data leak and can greatly harm the organization. Mitigation Verify that the repository was meant to be public, if not, configure it to be private. MITRE Tactic: TA0009 MITRE Technique: T1213 MITRE Sub-technique: 003

A user being demoted from administrator role should be inspected and verified as legitimate. Impact An adversary will want to remove an organization admin to revoke access and disrupt normal operations. Mitigation Verify that the remove operation and the admin performing it were legitimate. MITRE Tactic: TA0040 MITRE Technique: T1531

A user was promoted to admin should be inspected and verified as legitimate. Impact An adversary will want to promote a user he controls to admin (privilege escalation) to get full access to the repositories and code base. Mitigation Verify with the owner that the the added admin is legitimate and remove him if not. MITRE Tactic: TA0003 MITRE Technique: T1078

This rule detects if there are no logs in the last 24 hours for GitHub in the customer account. Note- This alert should configured with relevant app & subsystem. Impact Disabling logging is a tactic that adversaries might employ as part of various MITRE ATT&CK techniques to avoid detection, cover their tracks, or impede incident response investigations. Mitigation Address logging concerns to ensure comprehensive monitoring within the Coralogix SIEM system. MITRE Tactic: TA0005 MITRE Technique:T1562

This alert triggers when a user bypasses the push protection on a secret detected by secret scanning. Impact 1. Risk of Leaks Bypassing push protection can lead to sensitive data being accidentally exposed, making it easy pickings for anyone with bad intentions. 2. Unauthorized Access Secrets that slip through can be a goldmine for hackers, potentially giving them a backdoor into systems and data. 3. Legal and Compliance Headaches Skipping over security features like this can land companies in hot water with regulators, leading to fines and legal issues. 4. Trust Takes a Hit When it looks like an organization isn't keeping data safe on purpose, it can seriously damage its reputation and erode customer trust. 5. Sign of Bigger Problems This kind of action could suggest an insider threat, where someone within the organization is trying to undermine security for their own reasons. Mitigation Check if the user is aware of this action and if it's a legitimate one. If not, revert the action and investigate further. MITRE Tactic: TA0005 MITRE Technique: T1562 MITRE Sub-Technique: 001

This alert triggers if the push protection feature is disabled for an organization, enterprise, repositories or custom pattern rules. Impact 1. Accidental Exposure of Sensitive Data The deactivation of push protection significantly increases the likelihood of inadvertently committing sensitive information, such as credentials or secret keys, to repositories. This oversight can lead to unauthorized access to critical systems and data breaches. 2. Elevated Risk of Unauthorized System Access Exposed secrets may be exploited by malicious actors to gain unauthorized access to organizational resources, compromising system integrity and confidentiality. 3. Increased Susceptibility to Targeted Attacks Disabling push protection may be perceived as a security oversight, making the organization's repositories more attractive targets for cyber attacks aimed at exploiting such vulnerabilities. 4. Circumvention of Established Security Protocols Push protection serves as a proactive measure to prevent the introduction of potential security threats into codebases. Its removal undermines the effectiveness of other security controls and increases the organization’s vulnerability to cyber threats. 5. Compliance Violations Organizations subject to regulatory requirements regarding data protection may face non-compliance penalties if sensitive information is exposed due to the lack of adequate safeguarding mechanisms like push protection. 6. Reputational Damage The inadvertent exposure of sensitive data can erode stakeholder trust, negatively impacting the organization's reputation and potentially leading to loss of business. Mitigation Check if the user is aware of this action and if it's a legitimate one. If not, revert the action and investigate further. MITRE Tactic: TA0005 MITRE Technique: T1562 MITRE Sub-Technique: 001

This alert triggers if the secret scanning feature is disabled for an enterprise or repository. Impact 1. Sensitive Data Exposure Like leaving house keys under the mat, secrets could get accidentally exposed in your code, making it easy for anyone looking to find and exploit them. 2. Credential Theft Hackers often scan for exposed secrets to gain unauthorized access to systems and services, posing a significant security threat. 3. Widened Attack Surface Disabling secret scanning increases the chances of vulnerabilities, expanding the opportunities for attackers to exploit. 4. Insider Threats Without secret scanning, it's easier for someone inside the organization to intentionally expose secrets, potentially leading to data theft or system sabotage. 5. Compliance Issues Not detecting and protecting sensitive information can lead to violations of data protection regulations, resulting in fines and legal troubles. Mitigation Check if the user is aware of this action and if it's a legitimate one. If not, revert the action and investigate further. MITRE Tactic: TA0005 MITRE Technique: T1562 MITRE Sub-Technique: 001