security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Prep for Release 9.0 (#4550)

Browse Source
This commit is contained in:
shashank-elastic
2025-03-20 20:32:07 +05:30
committed by GitHub
parent 955e973c00
commit 059d7efa25
263 changed files with 9495 additions and 7936 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/integrations/github/defense_evasion_github_protected_branch_settings_changed.toml
+18 -14
View File
@@ -2,9 +2,7 @@
creation_date = "2023/08/29"
integration = ["github"]
maturity = "production"
updated_date = "2025/01/15"
min_stack_version = "8.13.0"
min_stack_comments = "Breaking change at 8.13.0 for the Github Integration."
updated_date = "2025/03/20"
[rule]
author = ["Elastic"]
@@ -19,17 +17,6 @@ index = ["logs-github.audit-*"]
language = "eql"
license = "Elastic License v2"
name = "GitHub Protected Branch Settings Changed"
risk_score = 47
rule_id = "07639887-da3a-4fbf-9532-8ce748ff8c50"
severity = "medium"
tags = ["Domain: Cloud", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Github", "Resources: Investigation Guide"]
timestamp_override = "event.ingested"
type = "eql"
query = '''
configuration where event.dataset == "github.audit"
and github.category == "protected_branch" and event.type == "change"
'''
note = """## Triage and analysis
> **Disclaimer**:
@@ -64,6 +51,23 @@ GitHub's protected branch settings are crucial for maintaining code integrity by
- Implement additional monitoring on the affected repository to detect any further unauthorized changes or suspicious activities.
- Review and update access controls and permissions for the repository to ensure that only authorized personnel can modify branch protection settings.
- Document the incident, including the timeline of events and actions taken, to improve future response efforts and update incident response plans."""
risk_score = 47
rule_id = "07639887-da3a-4fbf-9532-8ce748ff8c50"
severity = "medium"
tags = [
"Domain: Cloud",
"Use Case: Threat Detection",
"Tactic: Defense Evasion",
"Data Source: Github",
"Resources: Investigation Guide",
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
configuration where event.dataset == "github.audit"
and github.category == "protected_branch" and event.type == "change"
'''
[[rule.threat]]
rules/integrations/github/execution_github_app_deleted.toml
+17 -13
View File
@@ -2,9 +2,7 @@
creation_date = "2023/10/11"
integration = ["github"]
maturity = "production"
updated_date = "2025/01/15"
min_stack_version = "8.13.0"
min_stack_comments = "Breaking change at 8.13.0 for the Github Integration."
updated_date = "2025/03/20"
[rule]
author = ["Elastic"]
@@ -14,16 +12,6 @@ index = ["logs-github.audit-*"]
language = "eql"
license = "Elastic License v2"
name = "GitHub App Deleted"
risk_score = 21
rule_id = "fd01b949-81be-46d5-bcf8-284395d5f56d"
severity = "low"
tags = ["Domain: Cloud", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Github", "Resources: Investigation Guide"]
timestamp_override = "event.ingested"
type = "eql"
query = '''
configuration where event.dataset == "github.audit" and github.category == "integration_installation" and event.type == "deletion"
'''
note = """## Triage and analysis
> **Disclaimer**:
@@ -59,6 +47,22 @@ GitHub Apps are integrations that extend GitHub's functionality, often used to a
- Implement additional monitoring on the affected repositories or organization to detect any further suspicious activities or attempts to delete apps.
- Review and tighten permissions for GitHub apps to ensure only authorized personnel have the ability to delete or modify app installations.
- Escalate the incident to higher-level security management if there is evidence of a broader compromise or if the deletion is part of a larger attack campaign."""
risk_score = 21
rule_id = "fd01b949-81be-46d5-bcf8-284395d5f56d"
severity = "low"
tags = [
"Domain: Cloud",
"Use Case: Threat Detection",
"Tactic: Execution",
"Data Source: Github",
"Resources: Investigation Guide",
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
configuration where event.dataset == "github.audit" and github.category == "integration_installation" and event.type == "deletion"
'''
[[rule.threat]]
rules/integrations/github/execution_github_high_number_of_cloned_repos_from_pat.toml
+20 -22
View File
@@ -2,9 +2,7 @@
creation_date = "2023/10/11"
integration = ["github"]
maturity = "production"
updated_date = "2025/01/15"
min_stack_version = "8.13.0"
min_stack_comments = "Breaking change at 8.13.0 for the Github Integration."
updated_date = "2025/03/20"
[rule]
author = ["Elastic"]
@@ -17,25 +15,6 @@ index = ["logs-github.audit-*"]
language = "kuery"
license = "Elastic License v2"
name = "High Number of Cloned GitHub Repos From PAT"
risk_score = 21
rule_id = "fb0afac5-bbd6-49b0-b4f8-44e5381e1587"
severity = "low"
tags = [
"Domain: Cloud",
"Use Case: Threat Detection",
"Use Case: UEBA",
"Tactic: Execution",
"Data Source: Github",
"Resources: Investigation Guide",
]
timestamp_override = "event.ingested"
type = "threshold"
query = '''
event.dataset:"github.audit" and event.category:"configuration" and event.action:"git.clone" and
github.programmatic_access_type:("OAuth access token" or "Fine-grained personal access token") and
github.repository_public:false
'''
note = """## Triage and analysis
> **Disclaimer**:
@@ -70,6 +49,25 @@ Personal Access Tokens (PATs) facilitate automated access to GitHub repositories
- Monitor for any unusual activity or further unauthorized access attempts using other PATs or credentials.
- Escalate the incident to the security team for a comprehensive investigation and to determine if any other systems or data have been compromised.
- Update and enforce policies regarding the creation, usage, and management of PATs to prevent similar incidents in the future."""
risk_score = 21
rule_id = "fb0afac5-bbd6-49b0-b4f8-44e5381e1587"
severity = "low"
tags = [
"Domain: Cloud",
"Use Case: Threat Detection",
"Use Case: UEBA",
"Tactic: Execution",
"Data Source: Github",
"Resources: Investigation Guide",
]
timestamp_override = "event.ingested"
type = "threshold"
query = '''
event.dataset:"github.audit" and event.category:"configuration" and event.action:"git.clone" and
github.programmatic_access_type:("OAuth access token" or "Fine-grained personal access token") and
github.repository_public:false
'''
[[rule.threat]]
rules/integrations/github/execution_github_ueba_multiple_behavior_alerts_from_account.toml
+19 -21
View File
@@ -1,9 +1,7 @@
[metadata]
creation_date = "2023/12/14"
maturity = "production"
updated_date = "2025/01/15"
min_stack_version = "8.13.0"
min_stack_comments = "Breaking change at 8.13.0 for the Github Integration."
updated_date = "2025/03/20"
[rule]
author = ["Elastic"]
@@ -17,24 +15,6 @@ index = [".alerts-security.*"]
language = "kuery"
license = "Elastic License v2"
name = "GitHub UEBA - Multiple Alerts from a GitHub Account"
risk_score = 47
rule_id = "929223b4-fba3-4a1c-a943-ec4716ad23ec"
severity = "medium"
tags = [
"Domain: Cloud",
"Use Case: Threat Detection",
"Use Case: UEBA",
"Tactic: Execution",
"Rule Type: Higher-Order Rule",
"Data Source: Github",
"Resources: Investigation Guide",
]
timestamp_override = "event.ingested"
type = "threshold"
query = '''
signal.rule.tags:("Use Case: UEBA" and "Data Source: Github") and kibana.alert.workflow_status:"open"
'''
note = """## Triage and analysis
> **Disclaimer**:
@@ -70,6 +50,24 @@ User and Entity Behavior Analytics (UEBA) in GitHub environments helps identify
- Escalate the incident to the security operations center (SOC) for further investigation and to determine if additional accounts or systems are affected.
- Implement additional monitoring on the affected account and related systems to detect any further suspicious activity.
- Update and refine access controls and permissions for the affected account to minimize the risk of future unauthorized actions."""
risk_score = 47
rule_id = "929223b4-fba3-4a1c-a943-ec4716ad23ec"
severity = "medium"
tags = [
"Domain: Cloud",
"Use Case: Threat Detection",
"Use Case: UEBA",
"Tactic: Execution",
"Rule Type: Higher-Order Rule",
"Data Source: Github",
"Resources: Investigation Guide",
]
timestamp_override = "event.ingested"
type = "threshold"
query = '''
signal.rule.tags:("Use Case: UEBA" and "Data Source: Github") and kibana.alert.workflow_status:"open"
'''
[[rule.threat]]
rules/integrations/github/execution_new_github_app_installed.toml
+17 -13
View File
@@ -2,9 +2,7 @@
creation_date = "2023/08/29"
integration = ["github"]
maturity = "production"
updated_date = "2025/01/15"
min_stack_version = "8.13.0"
min_stack_comments = "Breaking change at 8.13.0 for the Github Integration."
updated_date = "2025/03/20"
[rule]
author = ["Elastic"]
@@ -20,16 +18,6 @@ index = ["logs-github.audit-*"]
language = "eql"
license = "Elastic License v2"
name = "New GitHub App Installed"
risk_score = 47
rule_id = "1ca62f14-4787-4913-b7af-df11745a49da"
severity = "medium"
tags = ["Domain: Cloud", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Github", "Resources: Investigation Guide"]
timestamp_override = "event.ingested"
type = "eql"
query = '''
configuration where event.dataset == "github.audit" and event.action == "integration_installation.create"
'''
note = """## Triage and analysis
> **Disclaimer**:
@@ -64,6 +52,22 @@ GitHub Apps enhance functionality by integrating with repositories and organizat
- Escalate the incident to higher-level security management if the app installation is linked to a broader security breach or if sensitive data has been compromised.
- Implement stricter access controls and approval processes for future GitHub App installations to prevent unauthorized installations.
- Update detection mechanisms to include additional indicators of compromise related to GitHub App installations, enhancing future threat detection capabilities."""
risk_score = 47
rule_id = "1ca62f14-4787-4913-b7af-df11745a49da"
severity = "medium"
tags = [
"Domain: Cloud",
"Use Case: Threat Detection",
"Tactic: Execution",
"Data Source: Github",
"Resources: Investigation Guide",
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
configuration where event.dataset == "github.audit" and event.action == "integration_installation.create"
'''
[[rule.threat]]
rules/integrations/github/impact_github_repository_deleted.toml
+18 -20
View File
@@ -2,9 +2,7 @@
creation_date = "2023/08/29"
integration = ["github"]
maturity = "production"
updated_date = "2025/01/15"
min_stack_version = "8.13.0"
min_stack_comments = "Breaking change at 8.13.0 for the Github Integration."
updated_date = "2025/03/20"
[rule]
author = ["Elastic"]
@@ -19,23 +17,6 @@ index = ["logs-github.audit-*"]
language = "eql"
license = "Elastic License v2"
name = "GitHub Repository Deleted"
risk_score = 47
rule_id = "345889c4-23a8-4bc0-b7ca-756bd17ce83b"
severity = "medium"
tags = [
"Domain: Cloud",
"Use Case: Threat Detection",
"Use Case: UEBA",
"Tactic: Impact",
"Data Source: Github",
"Resources: Investigation Guide",
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
configuration where event.module == "github" and event.dataset == "github.audit" and event.action == "repo.destroy"
'''
note = """## Triage and analysis
> **Disclaimer**:
@@ -69,6 +50,23 @@ GitHub repositories are essential for managing code and collaboration within org
- Implement additional access controls, such as multi-factor authentication and role-based access, to prevent unauthorized deletions in the future.
- Escalate the incident to higher management and legal teams if intellectual property theft or significant data loss is suspected.
- Enhance monitoring and alerting mechanisms to detect similar unauthorized actions promptly, leveraging the MITRE ATT&CK framework for guidance on potential threat vectors."""
risk_score = 47
rule_id = "345889c4-23a8-4bc0-b7ca-756bd17ce83b"
severity = "medium"
tags = [
"Domain: Cloud",
"Use Case: Threat Detection",
"Use Case: UEBA",
"Tactic: Impact",
"Data Source: Github",
"Resources: Investigation Guide",
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
configuration where event.module == "github" and event.dataset == "github.audit" and event.action == "repo.destroy"
'''
[[rule.threat]]
rules/integrations/github/persistence_github_org_owner_added.toml
+18 -20
View File
@@ -2,9 +2,7 @@
creation_date = "2023/09/11"
integration = ["github"]
maturity = "production"
updated_date = "2025/01/15"
min_stack_version = "8.13.0"
min_stack_comments = "Breaking change at 8.13.0 for the Github Integration."
updated_date = "2025/03/20"
[rule]
author = ["Elastic"]
@@ -18,23 +16,6 @@ index = ["logs-github.audit-*"]
language = "eql"
license = "Elastic License v2"
name = "New GitHub Owner Added"
risk_score = 47
rule_id = "24401eca-ad0b-4ff9-9431-487a8e183af9"
severity = "medium"
tags = [
"Domain: Cloud",
"Use Case: Threat Detection",
"Use Case: UEBA",
"Tactic: Persistence",
"Data Source: Github",
"Resources: Investigation Guide",
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
iam where event.dataset == "github.audit" and event.action == "org.add_member" and github.permission == "admin"
'''
note = """## Triage and analysis
> **Disclaimer**:
@@ -70,6 +51,23 @@ GitHub organizations allow collaborative management of repositories, where the '
- Review and update access control policies to ensure that owner roles are granted only to verified and necessary personnel.
- Implement additional monitoring and alerting for any future changes to GitHub organization roles to detect similar threats promptly.
- If evidence of compromise is found, consider engaging with a digital forensics team to assess the full impact and scope of the breach."""
risk_score = 47
rule_id = "24401eca-ad0b-4ff9-9431-487a8e183af9"
severity = "medium"
tags = [
"Domain: Cloud",
"Use Case: Threat Detection",
"Use Case: UEBA",
"Tactic: Persistence",
"Data Source: Github",
"Resources: Investigation Guide",
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
iam where event.dataset == "github.audit" and event.action == "org.add_member" and github.permission == "admin"
'''
[[rule.threat]]
rules/integrations/github/persistence_organization_owner_role_granted.toml
+18 -20
View File
@@ -2,9 +2,7 @@
creation_date = "2023/09/11"
integration = ["github"]
maturity = "production"
updated_date = "2025/01/15"
min_stack_version = "8.13.0"
min_stack_comments = "Breaking change at 8.13.0 for the Github Integration."
updated_date = "2025/03/20"
[rule]
author = ["Elastic"]
@@ -18,23 +16,6 @@ index = ["logs-github.audit-*"]
language = "eql"
license = "Elastic License v2"
name = "GitHub Owner Role Granted To User"
risk_score = 47
rule_id = "9b343b62-d173-4cfd-bd8b-e6379f964ca4"
severity = "medium"
tags = [
"Domain: Cloud",
"Use Case: Threat Detection",
"Use Case: UEBA",
"Tactic: Persistence",
"Data Source: Github",
"Resources: Investigation Guide",
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
iam where event.dataset == "github.audit" and event.action == "org.update_member" and github.permission == "admin"
'''
note = """## Triage and analysis
> **Disclaimer**:
@@ -68,6 +49,23 @@ In GitHub organizations, the owner role grants comprehensive administrative priv
- Notify the security team and relevant stakeholders about the potential breach and involve them in the investigation and remediation process.
- Review and update access control policies to ensure that owner roles are granted only through a formal approval process and are regularly audited.
- Implement additional monitoring and alerting for changes to high-privilege roles within the organization to detect similar threats in the future."""
risk_score = 47
rule_id = "9b343b62-d173-4cfd-bd8b-e6379f964ca4"
severity = "medium"
tags = [
"Domain: Cloud",
"Use Case: Threat Detection",
"Use Case: UEBA",
"Tactic: Persistence",
"Data Source: Github",
"Resources: Investigation Guide",
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
iam where event.dataset == "github.audit" and event.action == "org.update_member" and github.permission == "admin"
'''
[[rule.threat]]