Elastic Security Detection Rules

GitHub Actions Workflow Modification Blocked

Last updated 14 days ago on 2025-12-05
Created 14 days ago on 2025-12-05

About

Detects when a GitHub Actions workflow attempts to create or modify workflow files in a protected branch but is blocked due to insufficient permissions. This behavior is indicative of a supply chain attack where a malicious package or compromised CI/CD pipeline attempts to inject persistent backdoor workflows into a repository.
Tags
Domain: CloudUse Case: Threat DetectionTactic: Initial AccessTactic: PersistenceTactic: ExecutionData Source: GithubLanguage: esql
Severity
medium
Risk Score
47
MITRE ATT&CK™

Initial Access (TA0001)(opens in a new tab or window)

Supply Chain Compromise (T1195)(opens in a new tab or window)

Execution (TA0002)(opens in a new tab or window)

Command and Scripting Interpreter (T1059)(opens in a new tab or window)

Persistence (TA0003)(opens in a new tab or window)

Event Triggered Execution (T1546)(opens in a new tab or window)

False Positive Examples
Legitimate CI/CD automation that requires workflow file modifications may trigger this alert if not properly configured with the necessary permissions. Review the workflow configuration and ensure the GITHUB_TOKEN or PAT has the required 'workflows' permission if the modification is intentional.
License
Elastic License v2(opens in a new tab or window)

Definition

Integration Pack
Prebuilt Security Detection Rules
Related Integrations

github(opens in a new tab or window)

Query
from logs-github.audit-* metadata _id, _index, _version
| where
    data_stream.dataset == "github.audit" and
    event.action == "protected_branch.rejected_ref_update" and
    github.category == "protected_branch" and
    github.reasons.code == "workflow_updates" and
    match(github.reasons.message::STRING, "refusing to allow a GitHub App to create or update workflow")
| keep *

Install detection rules in Elastic Security

Detect GitHub Actions Workflow Modification Blocked in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).