Add references to rules (github_rules) (#1011)

rules/github_rules/github_action_failed.yml

@@ -13,6 +13,7 @@ Description: A monitored github action has failed.
 Runbook: >
   Inspect the action failure link and take appropriate response.
   There are no general plans of response for this activity.
+Reference: https://docs.github.com/en/actions/creating-actions/setting-exit-codes-for-actions#about-exit-codes
 Tests:
   -
     Name: GitHub - Branch Protection Disabled

rules/github_rules/github_advanced_security_change.yml

@@ -13,6 +13,7 @@ Reports:
 Severity: Low
 Description: The rule alerts when GitHub Security tools (Dependabot, Secret Scanner, etc) are disabled.
 Runbook: Confirm with GitHub administrators and re-enable the tools as applicable. 
+Reference: https://docs.github.com/en/code-security/getting-started/auditing-security-alerts
 Tests:
   -
     Name: Secret Scanning Disabled on a Repo

rules/github_rules/github_branch_policy_override.yml

@@ -14,6 +14,7 @@ Reports:
 Severity: High
 Description: Bypassing branch protection controls could indicate malicious use of admin credentials in an attempt to hide activity.
 Runbook: Verify that the GitHub admin performed this activity and validate its use.
+Reference: https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule
 Tests:
   -
     Name: GitHub - Branch Protection Policy Override

rules/github_rules/github_branch_protection_disabled.yml

@@ -14,6 +14,7 @@ Reports:
 Severity: High
 Description: Disabling branch protection controls could indicate malicious use of admin credentials in an attempt to hide activity.
 Runbook: Verify that branch protection should be disabled on the repository and re-enable as necessary.
+Reference: https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule
 Tests:
   -
     Name: GitHub - Branch Protection Disabled

rules/github_rules/github_org_auth_modified.yml

@@ -17,6 +17,7 @@ SummaryAttributes:
   - action
 Description: Detects changes to GitHub org authentication changes.
 Runbook: Verify that the GitHub admin performed this activity and validate its use.
+Reference: https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/about-authentication-to-github
 Tests:
   -
     Name: GitHub - Authentication Method Changed

rules/github_rules/github_org_ip_allowlist.yml

@@ -17,6 +17,7 @@ SummaryAttributes:
   - action
 Description: Detects changes to a GitHub Org IP Allow List
 Runbook: Verify that the change was authorized and appropriate.
+Reference: https://docs.github.com/en/apps/maintaining-github-apps/managing-allowed-ip-addresses-for-a-github-app
 Tests:
   -
     Name: GitHub - IP Allow list modified

rules/github_rules/github_org_moderators_add.yml

@@ -10,6 +10,7 @@ Tags:
   - Initial Access:Supply Chain Compromise
 Severity: Medium
 Description: Detects when a user is added to a GitHub org's list of moderators.
+Reference: https://docs.github.com/en/organizations/managing-peoples-access-to-your-organization-with-roles/managing-moderators-in-your-organization
 Tests:
   -
     Name: GitHub - Org Moderator Added

rules/github_rules/github_org_modified.yml

@@ -11,6 +11,7 @@ Tags:
 Reports:
   MITRE ATT&CK:
     - TA0001:T1195
+Reference: https://docs.github.com/en/organizations/managing-membership-in-your-organization
 Severity: Info
 Description: Detects when a user is added or removed from a GitHub Org.
 Tests:

rules/github_rules/github_public_repository_created.yml

@@ -4,6 +4,7 @@ DisplayName: "Github Public Repository Created"
 Enabled: true
 Filename: github_public_repository_created.py
 Runbook: Confirm this github repository was intended to be created as 'public' versus 'private'.
+Reference: https://docs.github.com/en/get-started/quickstart/create-a-repo
 Severity: Medium
 Tags:
     - Github Repository

rules/github_rules/github_repo_collaborator_change.yml

@@ -14,6 +14,7 @@ Reports:
 Severity: Medium
 Description: Detects when a repository collaborator is added or removed.
 Runbook: Determine if the new collaborator is authorized to access the repository. 
+Reference: https://docs.github.com/en/organizations/managing-user-access-to-your-organizations-repositories/managing-repository-roles/managing-an-individuals-access-to-an-organization-repository
 Tests:
   -
     Name: GitHub - Collaborator Added

rules/github_rules/github_repo_created.yml

@@ -7,6 +7,7 @@ LogTypes:
   - GitHub.Audit
 Tags:
   - GitHub
+Reference: https://docs.github.com/en/get-started/quickstart/create-a-repo
 Severity: Info
 Description: Detects when a repository is created.
 Tests:

rules/github_rules/github_repo_hook_modified.yml

@@ -11,6 +11,7 @@ Tags:
 Reports:
   MITRE ATT&CK:
     - TA0010:T1020
+Reference: https://docs.github.com/en/webhooks/about-webhooks
 Severity: Info
 Description: Detects when a web hook is added, modified, or deleted in an org repository. 
 Tests:

rules/github_rules/github_repo_initial_access.yml

@@ -7,6 +7,7 @@ LogTypes:
   - GitHub.Audit
 Tags:
   - GitHub
+Reference: https://docs.github.com/en/organizations/managing-user-access-to-your-organizations-repositories/managing-repository-roles/managing-an-individuals-access-to-an-organization-repository
 Severity: Info
 Description: Detects when a user initially accesses a private organization repository.
 Tests:

rules/github_rules/github_repo_visibility_change.yml

@@ -11,6 +11,7 @@ Tags:
 Reports:
   MITRE ATT&CK:
     - TA0010:T1567
+Reference: https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/managing-repository-settings/setting-repository-visibility
 Severity: High
 Description: Detects when an organization repository visibility changes.
 Tests:

rules/github_rules/github_secret_scanning_alert_created.yml

@@ -13,6 +13,7 @@ Reports:
 Severity: Medium
 Description: GitHub detected a secret and created a secret scanning alert.
 Runbook: Review the secret to determine if it needs to be revoked or the alert suppressed. 
+Reference: https://docs.github.com/en/code-security/secret-scanning/about-secret-scanning
 Tests:
   -
     Name: secret_scanning_alert.create-true

rules/github_rules/github_team_modified.yml

@@ -11,6 +11,7 @@ Tags:
 Reports:
   MITRE ATT&CK:
     - TA0001:T1195
+Reference: https://docs.github.com/en/organizations/organizing-members-into-teams
 Severity: Info
 Description: Detects when a team is modified in some way, such as adding a new team, deleting a team, modifying members, or a change in repository control.
 Tests:

rules/github_rules/github_user_access_key_created.yml

@@ -11,6 +11,7 @@ Tags:
 Reports:
   MITRE ATT&CK:
     - TA0003:T1078
+Reference: https://docs.github.com/en/authentication/connecting-to-github-with-ssh/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent
 Severity: Info
 Description: Detects when a GitHub user access key is created.
 Tests:

rules/github_rules/github_user_role_updated.yml

@@ -11,6 +11,7 @@ Tags:
 Reports:
   MITRE ATT&CK:
     - TA0003:T1098
+Reference: https://docs.github.com/en/organizations/managing-peoples-access-to-your-organization-with-roles/roles-in-an-organization
 Severity: High
 Description: Detects when a GitHub user role is upgraded to an admin or downgraded to a member
 Tests: