Add some GitHub audit detection rules

rules/cloud/github/github_fork_private_repos_enabled_or_cleared.yml

@@ -0,0 +1,26 @@
+title: Github Fork Private Repositories Setting Enabled/Cleared
+id: 69b3bd1e-b38a-462f-9a23-fbdbf63d2294
+status: experimental
+description: |
+    Detects when the policy allowing forks of private and internal repositories is changed (enabled or cleared).
+references:
+    - https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#private_repository_forking
+author: Romain Gaillard (@romain-gaillard)
+date: 2024/07/29
+tags:
+    - attack.persistence
+    - attack.t1020
+    - attack.t1537
+logsource:
+    product: github
+    service: audit
+    definition: 'Requirements: The audit log streaming feature must be enabled to be able to receive such logs. You can enable following the documentation here: https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-audit-log-streaming'
+detection:
+    selection:
+        action:
+            - 'private_repository_forking.clear' # An enterprise owner cleared the policy setting for allowing forks of private and internal repositories, for a repository, organization or enterprise.
+            - 'private_repository_forking.enable' # An enterprise owner enabled the policy setting for allowing forks of private and internal repositories, for a repository, organization or enterprise. Private and internal repositories are always allowed to be forked.
+    condition: selection
+falsepositives:
+    - Allowed administrative activities.
+level: medium

rules/cloud/github/github_repo_or_org_transferred.yml

@@ -0,0 +1,30 @@
+title: Github Repository/Organization Transferred
+id: 04ad83ef-1a37-4c10-b57a-81092164bf33
+status: experimental
+description: Detects when a repository or an organization is being transferred to another location.
+references:
+    - https://docs.github.com/en/repositories/creating-and-managing-repositories/transferring-a-repository
+    - https://docs.github.com/en/organizations/managing-organization-settings/transferring-organization-ownership
+    - https://docs.github.com/en/migrations
+    - https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#migration
+author: Romain Gaillard (@romain-gaillard)
+date: 2024/07/29
+tags:
+    - attack.persistence
+    - attack.t1020
+    - attack.t1537
+logsource:
+    product: github
+    service: audit
+    definition: 'Requirements: The audit log streaming feature must be enabled to be able to receive such logs. You can enable following the documentation here: https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-audit-log-streaming'
+detection:
+    selection:
+        action:
+            - 'migration.create' # A migration file was created for transferring data from a source location (such as a GitHub.com organization or a GitHub Enterprise Server instance) to a target GitHub Enterprise Server instance.
+            - 'org.transfer_outgoing' # An organization was transferred between enterprise accounts.
+            - 'org.transfer' # An organization was transferred between enterprise accounts.
+            - 'repo.transfer_outgoing' # A repository was transferred to another repository network.
+    condition: selection
+falsepositives:
+    - Allowed administrative activities.
+level: medium

rules/cloud/github/github_ssh_certificate_config_changed.yml

@@ -0,0 +1,26 @@
+title: Github SSH Certificate Configuration Changed
+id: 2f575940-d85e-4ddc-af13-17dad6f1a0ef
+status: experimental
+description: Detects when changes are made to the SSH certificate configuration of the organization.
+references:
+    - https://docs.github.com/en/enterprise-cloud@latest/organizations/managing-git-access-to-your-organizations-repositories/about-ssh-certificate-authorities
+    - https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#ssh_certificate_authority
+author: Romain Gaillard (@romain-gaillard)
+date: 2024/07/29
+tags:
+    - attack.persistence
+    - attack.privilege_escalation
+    - attack.t1078.004
+logsource:
+    product: github
+    service: audit
+    definition: 'Requirements: The audit log streaming feature must be enabled to be able to receive such logs. You can enable following the documentation here: https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-audit-log-streaming'
+detection:
+    selection:
+        action:
+            - 'ssh_certificate_authority.create' # An SSH certificate authority for an organization or enterprise was created.
+            - 'ssh_certificate_requirement.disable' # The requirement for members to use SSH certificates to access an organization resources was disabled.
+    condition: selection
+falsepositives:
+    - Allowed administrative activities.
+level: medium