Deprecated old GItHub detections

Patrick Bareiss · Patrick Bareiss · commit 701a621d3cb1 · 2025-01-15T10:58:13.000+01:00
diff --git a/detections/deprecated/github_actions_disable_security_workflow.yml b/detections/deprecated/github_actions_disable_security_workflow.yml
@@ -1,9 +1,9 @@
 name: GitHub Actions Disable Security Workflow
 id: 0459f1a5-c0ac-4987-82d6-65081209f854
-version: 3
-date: '2024-09-30'
+version: 4
+date: '2025-01-15'
 author: Patrick Bareiss, Splunk
-status: production
+status: deprecated
 type: Anomaly
 description: The following analytic detects the disabling of a security workflow in GitHub Actions. It leverages GitHub logs to identify when a workflow, excluding those named *security-testing*, is disabled following a push or pull request event. This activity is significant as it may indicate an attempt by an attacker to conceal malicious code by disabling security checks. If confirmed malicious, this could allow the attacker to introduce and persist undetected malicious code within the repository, potentially compromising the integrity and security of the codebase.
 data_source:
diff --git a/detections/deprecated/github_commit_changes_in_master.yml b/detections/deprecated/github_commit_changes_in_master.yml
@@ -1,9 +1,9 @@
 name: Github Commit Changes In Master
 id: c9d2bfe2-019f-11ec-a8eb-acde48001122
-version: 3
-date: '2024-09-30'
+version: 4
+date: '2025-01-15'
 author: Teoderick Contreras, Splunk
-status: production
+status: deprecated
 type: Anomaly
 description: The following analytic detects direct commits or pushes to the master or main branch in a GitHub repository. It leverages GitHub logs to identify events where changes are made directly to these critical branches. This activity is significant because direct modifications to the master or main branch bypass the standard review process, potentially introducing unreviewed and harmful changes. If confirmed malicious, this could lead to unauthorized code execution, security vulnerabilities, or compromised project integrity.
 data_source:
diff --git a/detections/deprecated/github_commit_in_develop.yml b/detections/deprecated/github_commit_in_develop.yml
@@ -1,9 +1,9 @@
 name: Github Commit In Develop
 id: f3030cb6-0b02-11ec-8f22-acde48001122
-version: 3
-date: '2024-09-30'
+version: 4
+date: '2025-01-15'
 author: Teoderick Contreras, Splunk
-status: production
+status: deprecated
 type: Anomaly
 description: The following analytic detects commits pushed directly to the 'develop' or 'main' branches in a GitHub repository. It leverages GitHub logs, focusing on commit metadata such as author details, commit messages, and timestamps. This activity is significant as direct commits to these branches can bypass the review process, potentially introducing unvetted changes. If confirmed malicious, this could lead to unauthorized code modifications, introducing vulnerabilities or backdoors into the codebase, and compromising the integrity of the development lifecycle.
 data_source:
diff --git a/detections/deprecated/github_dependabot_alert.yml b/detections/deprecated/github_dependabot_alert.yml
@@ -1,9 +1,9 @@
 name: GitHub Dependabot Alert
 id: 05032b04-4469-4034-9df7-05f607d75cba
-version: 3
-date: '2024-09-30'
+version: 4
+date: '2025-01-15'
 author: Patrick Bareiss, Splunk
-status: production
+status: deprecated
 type: Anomaly
 description: The following analytic identifies the creation of GitHub Dependabot alerts, which indicate potential vulnerabilities in the codebase. It detects this activity by searching for logs with the "create" action and analyzing fields such as affected package, severity, and fixed version. This detection is significant for a SOC because it helps identify and address security risks in the codebase proactively. If confirmed malicious, these vulnerabilities could be exploited by attackers to gain unauthorized access or cause breaches, leading to potential data loss or system compromise.
 data_source:
