security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[New Rule] GitHub Protected Branch Settings Changed (#3054)

Browse Source 
* new rule file

* testing query change

* query changed back

* Update rules/integrations/github/defense_evasion_github_protected_branch_settings_changed.toml

updates based on review

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* updated integration manifests with github schema

* Update defense_evasion_github_protected_branch_settings_changed.toml

added event.dataset to query

* added timestamp_override

* changed timestamp_override to @timestamp

* changed timestamp_override

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

(cherry picked from commit 904e37b732)
This commit is contained in:
Isai
2023-09-14 17:16:51 -04:00
committed by github-actions[bot]
parent 0bc9b126f6
commit 09feb8b94f
3 changed files with 51 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/integrations/github/defense_evasion_github_protected_branch_settings_changed.toml
+51
View File
@@ -0,0 +1,51 @@
[metadata]
creation_date = "2023/08/29"
integration = ["github"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/08/30"
[rule]
author = ["Elastic"]
description = """
This rule detects setting modifications for protected branches of a GitHub repository. Branch protection rules
can be used to enforce certain workflows or requirements before a contributor can push changes to a branch in
your repository. Changes to these protected branch settings should be investigated and verified as legitimate
activity. Unauthorized changes could be used to lower your organization's security posture and leave you exposed
for future attacks.
"""
from = "now-9m"
index = ["logs-github.audit-*"]
language = "eql"
license = "Elastic License v2"
name = "GitHub Protected Branch Settings Changed"
risk_score = 47
rule_id = "07639887-da3a-4fbf-9532-8ce748ff8c50"
severity = "medium"
tags = ["Domain: Cloud", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Github"]
timestamp_override = "event.ingested"
type = "eql"
query = '''
configuration where event.dataset == "github.audit"
and github.category == "protected_branch" and event.type == "change"
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1562"
name = "Impair Defenses"
reference = "https://attack.mitre.org/techniques/T1562/"
[[rule.threat.technique.subtechnique]]
id = "T1562.001"
name = "Disable or Modify Tools"
reference = "https://attack.mitre.org/techniques/T1562/001/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"