Home/Sigma rules
Sigma

Sigma detection rules

5 rules indexed · SIEM-agnostic detection content
Sigma is the open generic signature format for SIEM systems. Each rule below converts to native syntax for Splunk, Elastic, Sentinel, and other SIEMs. Expand any rule to see its raw YAML.
Severity critical high medium low all severities

Detection rules

5 shown of 5
critical
Bitbucket Unauthorized Full Data Export Triggered
Detects when full data export is attempted an unauthorized user.
status test author Muhammad Faisal (@faisalusuf) id 34d81081-03c9-4a7f-91c9-5e46af625cde
view Sigma YAML 
title: Bitbucket Unauthorized Full Data Export Triggered
id: 34d81081-03c9-4a7f-91c9-5e46af625cde
status: test
description: Detects when full data export is attempted an unauthorized user.
references:
    - https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html
    - https://confluence.atlassian.com/bitbucketserver/secret-scanning-1157471613.html
author: Muhammad Faisal (@faisalusuf)
date: 2024-02-25
tags:
    - attack.collection
    - attack.resource-development
    - attack.t1213.003
    - attack.t1586
logsource:
    product: bitbucket
    service: audit
    definition: 'Requirements: "Advance" log level is required to receive these audit events.'
detection:
    selection:
        auditType.category: 'Data pipeline'
        auditType.action: 'Unauthorized full data export triggered'
    condition: selection
falsepositives:
    - Unlikely
level: critical
high
Bitbucket Full Data Export Triggered
Detects when full data export is attempted.
status test author Muhammad Faisal (@faisalusuf) id 195e1b9d-bfc2-4ffa-ab4e-35aef69815f8
view Sigma YAML 
title: Bitbucket Full Data Export Triggered
id: 195e1b9d-bfc2-4ffa-ab4e-35aef69815f8
status: test
description: Detects when full data export is attempted.
references:
    - https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html
    - https://confluence.atlassian.com/adminjiraserver0811/importing-and-exporting-data-1019391889.html
author: Muhammad Faisal (@faisalusuf)
date: 2024-02-25
tags:
    - attack.collection
    - attack.t1213.003
logsource:
    product: bitbucket
    service: audit
    definition: 'Requirements: "Advance" log level is required to receive these audit events.'
detection:
    selection:
        auditType.category: 'Data pipeline'
        auditType.action: 'Full data export triggered'
    condition: selection
falsepositives:
    - Legitimate user activity.
level: high
medium
Github Delete Action Invoked
Detects delete action in the Github audit logs for codespaces, environment, project and repo.
status test author Muhammad Faisal (@faisalusuf) id 16a71777-0b2e-4db7-9888-9d59cb75200b
view Sigma YAML 
title: Github Delete Action Invoked
id: 16a71777-0b2e-4db7-9888-9d59cb75200b
status: test
description: Detects delete action in the Github audit logs for codespaces, environment, project and repo.
author: Muhammad Faisal (@faisalusuf)
date: 2023-01-19
modified: 2026-03-09
references:
    - https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#audit-log-actions
    - https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/security-log-events#codespaces
tags:
    - attack.impact
    - attack.collection
    - attack.t1213.003
logsource:
    product: github
    service: audit
    definition: 'Requirements: The audit log streaming feature must be enabled to be able to receive such logs. You can enable following the documentation here: https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-audit-log-streaming'
detection:
    selection:
        action:
            - 'codespaces.destroy'
            - 'environment.delete'
            - 'project.delete'
            - 'repo.destroy'
    condition: selection
falsepositives:
    - Validate the deletion activity is permitted. The "actor" field need to be validated.
level: medium
medium
Github Outside Collaborator Detected
Detects when an organization member or an outside collaborator is added to or removed from a project board or has their permission level changed or when an owner removes an outside collaborator from an organization or when two-factor authentication is required in an organization and an outside collaborator does not use 2FA or disables 2FA.
status test author Muhammad Faisal (@faisalusuf) id eaa9ac35-1730-441f-9587-25767bde99d7
view Sigma YAML 
title: Github Outside Collaborator Detected
id: eaa9ac35-1730-441f-9587-25767bde99d7
status: test
description: |
    Detects when an organization member or an outside collaborator is added to or removed from a project board or has their permission level changed or when an owner removes an outside collaborator from an organization or when two-factor authentication is required in an organization and an outside collaborator does not use 2FA or disables 2FA.
author: Muhammad Faisal (@faisalusuf)
date: 2023-01-20
references:
    - https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#audit-log-actions
    - https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.collection
    - attack.t1098.001
    - attack.t1098.003
    - attack.t1213.003
logsource:
    product: github
    service: audit
    definition: 'Requirements: The audit log streaming feature must be enabled to be able to receive such logs. You can enable following the documentation here: https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-audit-log-streaming'
detection:
    selection:
        action:
            - 'org.remove_outside_collaborator'
            - 'project.update_user_permission'
    condition: selection
falsepositives:
    - Validate the actor if permitted to access the repo.
    - Validate the Multifactor Authentication changes.
level: medium
low
Github Self Hosted Runner Changes Detected
A self-hosted runner is a system that you deploy and manage to execute jobs from GitHub Actions on GitHub.com. This rule detects changes to self-hosted runners configurations in the environment. The self-hosted runner configuration changes once detected, it should be validated from GitHub UI because the log entry may not provide full context.
status test author Muhammad Faisal (@faisalusuf) id f8ed0e8f-7438-4b79-85eb-f358ef2fbebd
view Sigma YAML 
title: Github Self Hosted Runner Changes Detected
id: f8ed0e8f-7438-4b79-85eb-f358ef2fbebd
status: test
description: |
    A self-hosted runner is a system that you deploy and manage to execute jobs from GitHub Actions on GitHub.com.
    This rule detects changes to self-hosted runners configurations in the environment. The self-hosted runner configuration changes once detected,
    it should be validated from GitHub UI because the log entry may not provide full context.
author: Muhammad Faisal (@faisalusuf)
date: 2023-01-27
references:
    - https://docs.github.com/en/actions/hosting-your-own-runners/about-self-hosted-runners#about-self-hosted-runners
    - https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#search-based-on-operation
tags:
    - attack.impact
    - attack.discovery
    - attack.collection
    - attack.persistence
    - attack.privilege-escalation
    - attack.initial-access
    - attack.stealth
    - attack.t1526
    - attack.t1213.003
    - attack.t1078.004
logsource:
    product: github
    service: audit
    definition: 'Requirements: The audit log streaming feature must be enabled to be able to receive such logs. You can enable following the documentation here: https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-audit-log-streaming'
detection:
    selection:
        action:
            - 'org.remove_self_hosted_runner'
            - 'org.runner_group_created'
            - 'org.runner_group_removed'
            - 'org.runner_group_runner_removed'
            - 'org.runner_group_runners_added'
            - 'org.runner_group_runners_updated'
            - 'org.runner_group_updated'
            - 'repo.register_self_hosted_runner'
            - 'repo.remove_self_hosted_runner'
    condition: selection
falsepositives:
    - Allowed self-hosted runners changes in the environment.
    - A self-hosted runner is automatically removed from GitHub if it has not connected to GitHub Actions for more than 14 days.
    - An ephemeral self-hosted runner is automatically removed from GitHub if it has not connected to GitHub Actions for more than 1 day.
level: low
Showing 1-5 of 5
Prev 1 Next
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin