GitHub Security Vulnerability in Repository
| Id | 5436f471-b03d-41cb-b333-65891f887c43 |
| Rulename | GitHub Security Vulnerability in Repository |
| Description | This alerts when there is a new security vulnerability in a GitHub repository. |
| Severity | Informational |
| Tactics | InitialAccess Execution PrivilegeEscalation DefenseEvasion CredentialAccess LateralMovement |
| Techniques | T1190 T1203 T1068 T1211 T1212 T1210 |
| Kind | Scheduled |
| Query frequency | 1h |
| Query period | 1h |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GitHub/Analytic Rules/Security Vulnerability in Repo.yaml |
| Version | 1.0.3 |
| Arm template | 5436f471-b03d-41cb-b333-65891f887c43.json |
GitHubRepo
| where Action == "vulnerabilityAlert"
| project TimeGenerated, DismmisedAt, Reason, vulnerableManifestFilename, Description, Link, PublishedAt, Severity, Summary
tactics:
- InitialAccess
- Execution
- PrivilegeEscalation
- DefenseEvasion
- CredentialAccess
- LateralMovement
relevantTechniques:
- T1190
- T1203
- T1068
- T1211
- T1212
- T1210
id: 5436f471-b03d-41cb-b333-65891f887c43
severity: Informational
query: |
GitHubRepo
| where Action == "vulnerabilityAlert"
| project TimeGenerated, DismmisedAt, Reason, vulnerableManifestFilename, Description, Link, PublishedAt, Severity, Summary
requiredDataConnectors: []
queryPeriod: 1h
entityMappings:
- entityType: URL
fieldMappings:
- identifier: Url
columnName: Link
triggerOperator: gt
triggerThreshold: 0
description: |
'This alerts when there is a new security vulnerability in a GitHub repository.'
version: 1.0.3
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GitHub/Analytic Rules/Security Vulnerability in Repo.yaml
queryFrequency: 1h
name: GitHub Security Vulnerability in Repository
kind: Scheduled
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/5436f471-b03d-41cb-b333-65891f887c43')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/5436f471-b03d-41cb-b333-65891f887c43')]",
"properties": {
"alertRuleTemplateName": "5436f471-b03d-41cb-b333-65891f887c43",
"customDetails": null,
"description": "'This alerts when there is a new security vulnerability in a GitHub repository.'\n",
"displayName": "GitHub Security Vulnerability in Repository",
"enabled": true,
"entityMappings": [
{
"entityType": "URL",
"fieldMappings": [
{
"columnName": "Link",
"identifier": "Url"
}
]
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GitHub/Analytic Rules/Security Vulnerability in Repo.yaml",
"query": "GitHubRepo\n| where Action == \"vulnerabilityAlert\"\n| project TimeGenerated, DismmisedAt, Reason, vulnerableManifestFilename, Description, Link, PublishedAt, Severity, Summary\n",
"queryFrequency": "PT1H",
"queryPeriod": "PT1H",
"severity": "Informational",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"CredentialAccess",
"DefenseEvasion",
"Execution",
"InitialAccess",
"LateralMovement",
"PrivilegeEscalation"
],
"techniques": [
"T1068",
"T1190",
"T1203",
"T1210",
"T1211",
"T1212"
],
"templateVersion": "1.0.3",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}