[New Rules] UEBA GItHub BBRs and Rules (#3174)

* [New Rules] UEBA GItHub BBRs and Rules

A new set of BBRs and rules that will be used to trigger new UEBA GitHub threshold Rules.

* Update rules/integrations/github/impact_github_member_removed_from_organization.toml

* Apply suggestions from code review

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* edited BBR rules

-removed newly added member rule

* updated integration manifests and schemas

* Updated min_stack for some rules based on newest GitHub integration schema manifest

* testing min_stack bump to 8.8 for new fields

* removing offending rule to troubleshoot seperately

* added UEBA tags and created UEBA threshold rule

* updated non-ecs-schema to add signal.rule.tags

* updated non-ecs-schema with kibana.alert.workflow_status

* updated rule.threat.tactic

* added user.name to non-ecs-schema

* added quotes to kibana.alert.workflow_status value

* removed trailing space from rule name

* update tags and optimize query for UEBA threshold rule

* removed integration field from Higher-Order rule

* Apply suggestions from code review

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* adjusted new_terms order and rule types based on review feedback

* Apply suggestions from code review

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* remove user.name from detection_rules/etc/non-ecs-schema.json

* fix json formatting

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

detection_rules/etc/non-ecs-schema.json

@@ -115,8 +115,10 @@
   },
   ".alerts-security.*": {
     "signal.rule.name": "keyword",
+    "signal.rule.tags": "keyword",
     "signal.rule.threat.tactic.name": "keyword",
     "kibana.alert.rule.threat.tactic.id": "keyword",
+    "kibana.alert.workflow_status": "keyword",
     "kibana.alert.rule.rule_id": "keyword"
   },
   "logs-google_workspace*": {

rules/integrations/github/execution_github_app_deleted.toml

@@ -0,0 +1,45 @@
+[metadata]
+creation_date = "2023/10/11"
+integration = ["github"]
+maturity = "production"
+min_stack_comments = "New fields added: required_fields, related_integrations, setup"
+min_stack_version = "8.3.0"
+updated_date = "2023/10/11"
+
+[rule]
+author = ["Elastic"]
+description = """
+Detects the deletion of a GitHub app either from a repo or an organization.
+"""
+from = "now-9m"
+index = ["logs-github.audit-*"]
+language = "eql"
+license = "Elastic License v2"
+name = "GitHub App Deleted"
+risk_score = 21
+rule_id = "fd01b949-81be-46d5-bcf8-284395d5f56d"
+severity = "low"
+tags = ["Domain: Cloud",
+        "Use Case: Threat Detection",
+        "Tactic: Execution",
+        "Data Source: Github"
+        ]
+timestamp_override = "event.ingested"
+type = "eql"
+
+query = '''
+configuration where event.dataset == "github.audit" and github.category == "integration_installation" and event.type == "deletion"
+'''
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1648"
+name = "Serverless Execution"
+reference = "https://attack.mitre.org/techniques/T1648/"
+
+
+[rule.threat.tactic]
+id = "TA0002"
+name = "Execution"
+reference = "https://attack.mitre.org/tactics/TA0002/"

rules/integrations/github/execution_github_high_number_of_cloned_repos_from_pat.toml

@@ -0,0 +1,56 @@
+[metadata]
+creation_date = "2023/10/11"
+integration = ["github"]
+maturity = "production"
+min_stack_comments = "New fields added to GitHub Integration"
+min_stack_version = "8.8.0"
+updated_date = "2023/12/14"
+
+[rule]
+author = ["Elastic"]
+description = """
+Detects a high number of unique private repo clone events originating from a single personal access token within a short time period.
+"""
+from = "now-6m"
+index = ["logs-github.audit-*"]
+language = "kuery"
+license = "Elastic License v2"
+name = "High Number of Cloned GitHub Repos From PAT"
+risk_score = 21
+rule_id = "fb0afac5-bbd6-49b0-b4f8-44e5381e1587"
+severity = "low"
+tags = ["Domain: Cloud",
+        "Use Case: Threat Detection",
+        "Use Case: UEBA",        
+        "Tactic: Execution",
+        "Data Source: Github"
+        ]
+timestamp_override = "event.ingested"
+type = "threshold"
+
+query = '''
+event.dataset:"github.audit" and event.category:"configuration" and event.action:"git.clone" and 
+github.programmatic_access_type:("OAuth access token" or "Fine-grained personal access token") and 
+github.repository_public:false
+'''
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1648"
+name = "Serverless Execution"
+reference = "https://attack.mitre.org/techniques/T1648/"
+
+
+[rule.threat.tactic]
+id = "TA0002"
+name = "Execution"
+reference = "https://attack.mitre.org/tactics/TA0002/"
+
+[rule.threshold]
+field = ["github.hashed_token"]
+value = 1
+
+[[rule.threshold.cardinality]]
+field = "github.repo"
+value = 10

rules/integrations/github/execution_github_ueba_multiple_behavior_alerts_from_account.toml

@@ -0,0 +1,52 @@
+[metadata]
+creation_date = "2023/12/14"
+maturity = "production"
+min_stack_comments = "New fields added: required_fields, related_integrations, setup"
+min_stack_version = "8.3.0"
+updated_date = "2023/12/18"
+
+[rule]
+author = ["Elastic"]
+description = """
+This rule is part of the "GitHub UEBA - Unusual Activity from Account Pack", and leverages alert data to
+determine when multiple alerts are executed by the same user in a timespan of one hour. 
+Analysts can use this to prioritize triage and response, as these alerts are a higher indicator of compromised user
+accounts or PATs.
+"""
+from = "now-60m"
+index = [".alerts-security.*"]
+language = "kuery"
+license = "Elastic License v2"
+name = "GitHub UEBA - Multiple Alerts from a GitHub Account"
+risk_score = 47
+rule_id = "929223b4-fba3-4a1c-a943-ec4716ad23ec"
+severity = "medium"
+tags = ["Domain: Cloud",
+        "Use Case: Threat Detection",
+        "Use Case: UEBA",
+        "Tactic: Execution",
+        "Rule Type: Higher-Order Rule",
+        "Data Source: Github"
+        ]
+timestamp_override = "event.ingested"
+type = "threshold"
+
+query = '''
+signal.rule.tags:("Use Case: UEBA" and "Data Source: Github") and kibana.alert.workflow_status:"open"
+'''
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+[rule.threat.tactic]
+id = "TA0002"
+name = "Execution"
+reference = "https://attack.mitre.org/tactics/TA0002/"
+
+[rule.threshold]
+field = ["user.name"]
+value = 1
+
+[[rule.threshold.cardinality]]
+field = "signal.rule.name"
+value = 5

rules/integrations/github/impact_github_repository_deleted.toml

@@ -4,7 +4,7 @@ integration = ["github"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/08/29"
+updated_date = "2023/12/14"
 
 [rule]
 author = ["Elastic"]
@@ -24,7 +24,12 @@ name = "GitHub Repository Deleted"
 risk_score = 47
 rule_id = "345889c4-23a8-4bc0-b7ca-756bd17ce83b"
 severity = "medium"
-tags = ["Domain: Cloud", "Use Case: Threat Detection", "Tactic: Impact", "Data Source: Github"]
+tags = ["Domain: Cloud", 
+        "Use Case: Threat Detection", 
+        "Use Case: UEBA",        
+        "Tactic: Impact", 
+        "Data Source: Github"
+        ]
 timestamp_override = "event.ingested"
 type = "eql"
 query = '''
@@ -44,4 +49,3 @@ reference = "https://attack.mitre.org/techniques/T1485/"
 id = "TA0040"
 name = "Impact"
 reference = "https://attack.mitre.org/tactics/TA0040/"
-

rules/integrations/github/persistence_github_org_owner_added.toml

@@ -4,7 +4,7 @@ integration = ["github"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/09/11"
+updated_date = "2023/12/14"
 
 [rule]
 author = ["Elastic"]
@@ -21,7 +21,12 @@ name = "New GitHub Owner Added"
 risk_score = 47
 rule_id = "24401eca-ad0b-4ff9-9431-487a8e183af9"
 severity = "medium"
-tags = ["Domain: Cloud", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Github"]
+tags = ["Domain: Cloud", 
+        "Use Case: Threat Detection",
+        "Use Case: UEBA",        
+        "Tactic: Persistence", 
+        "Data Source: Github"
+        ]
 timestamp_override = "event.ingested"
 type = "eql"
 query = '''

rules/integrations/github/persistence_organization_owner_role_granted.toml

@@ -4,7 +4,7 @@ integration = ["github"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/09/11"
+updated_date = "2023/12/14"
 
 [rule]
 author = ["Elastic"]
@@ -21,7 +21,12 @@ name = "GitHub Owner Role Granted To User"
 risk_score = 47
 rule_id = "9b343b62-d173-4cfd-bd8b-e6379f964ca4"
 severity = "medium"
-tags = ["Domain: Cloud", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Github"]
+tags = ["Domain: Cloud", 
+        "Use Case: Threat Detection",
+        "Use Case: UEBA",        
+        "Tactic: Persistence", 
+        "Data Source: Github"
+        ]
 timestamp_override = "event.ingested"
 type = "eql"
 query = '''

rules_building_block/execution_github_new_event_action_for_pat.toml

@@ -0,0 +1,60 @@
+[metadata]
+bypass_bbr_timing = true
+creation_date = "2023/10/11"
+integration = ["github"]
+maturity = "production"
+min_stack_comments = "New fields added to GitHub Integration"
+min_stack_version = "8.8.0"
+updated_date = "2023/12/14"
+
+[rule]
+author = ["Elastic"]
+building_block_type = "default"
+description = """
+Detects a first occurrence event for a personal access token (PAT) not seen in the last 14 days.
+"""
+from = "now-9m"
+index = ["logs-github.audit-*"]
+language = "kuery"
+license = "Elastic License v2"
+name = "First Occurrence GitHub Event for a Personal Access Token (PAT)"
+risk_score = 21
+rule_id = "ce08b55a-f67d-4804-92b5-617b0fe5a5b5"
+severity = "low"
+tags = ["Domain: Cloud",
+        "Use Case: Threat Detection",
+        "Use Case: UEBA",        
+        "Tactic: Execution",
+        "Rule Type: BBR",
+        "Data Source: Github"
+        ]
+timestamp_override = "event.ingested"
+type = "new_terms"
+
+query = '''
+event.dataset:"github.audit" and event.category:"configuration" and
+event.action:* and github.hashed_token:* and 
+github.programmatic_access_type:("OAuth access token" or "Fine-grained personal access token")
+'''
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1648"
+name = "Serverless Execution"
+reference = "https://attack.mitre.org/techniques/T1648/"
+
+
+[rule.threat.tactic]
+id = "TA0002"
+name = "Execution"
+reference = "https://attack.mitre.org/tactics/TA0002/"
+
+
+[rule.new_terms]
+field = "new_terms_fields"
+value = ["github.hashed_token", "event.action"]
+
+[[rule.new_terms.history_window_start]]
+field = "history_window_start"
+value = "now-14d"

rules_building_block/execution_github_new_repo_interaction_for_pat.toml

@@ -0,0 +1,61 @@
+[metadata]
+bypass_bbr_timing = true
+creation_date = "2023/10/11"
+integration = ["github"]
+maturity = "production"
+min_stack_comments = "New fields added to GitHub Integration"
+min_stack_version = "8.8.0"
+updated_date = "2023/12/14"
+
+[rule]
+author = ["Elastic"]
+building_block_type = "default"
+description = """
+Detects a new private repo interaction for a GitHub PAT not seen in the last 14 days.
+"""
+from = "now-9m"
+index = ["logs-github.audit-*"]
+language = "kuery"
+license = "Elastic License v2"
+name = "First Occurrence of Private Repo Event from Specific GitHub Personal Access Token (PAT)"
+risk_score = 21
+rule_id = "1e9b271c-8caa-4e20-aed8-e91e34de9283"
+severity = "low"
+tags = ["Domain: Cloud",
+        "Use Case: Threat Detection",
+        "Use Case: UEBA",        
+        "Tactic: Execution",
+        "Rule Type: BBR",
+        "Data Source: Github"
+        ]
+timestamp_override = "event.ingested"
+type = "new_terms"
+
+query = '''
+event.dataset:"github.audit" and event.category:"configuration" and
+github.repo:* and github.hashed_token:* and
+github.programmatic_access_type:("OAuth access token" or "Fine-grained personal access token") and 
+github.repository_public:false
+'''
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1648"
+name = "Serverless Execution"
+reference = "https://attack.mitre.org/techniques/T1648/"
+
+
+[rule.threat.tactic]
+id = "TA0002"
+name = "Execution"
+reference = "https://attack.mitre.org/tactics/TA0002/"
+
+
+[rule.new_terms]
+field = "new_terms_fields"
+value = ["github.hashed_token", "github.repo"]
+
+[[rule.new_terms.history_window_start]]
+field = "history_window_start"
+value = "now-14d"

rules_building_block/execution_github_new_repo_interaction_for_user.toml

@@ -0,0 +1,60 @@
+[metadata]
+bypass_bbr_timing = true
+creation_date = "2023/10/11"
+integration = ["github"]
+maturity = "production"
+min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6"
+min_stack_version = "8.6.0"
+updated_date = "2023/12/14"
+
+[rule]
+author = ["Elastic"]
+building_block_type = "default"
+description = """
+Detects a new private repo interaction for a GitHub user not seen in the last 14 days.
+"""
+from = "now-9m"
+index = ["logs-github.audit-*"]
+language = "kuery"
+license = "Elastic License v2"
+name = "First Occurrence of GitHub User Interaction with Private Repo"
+risk_score = 21
+rule_id = "01c49712-25bc-49d2-a27d-d7ce52f5dc49"
+severity = "low"
+tags = ["Domain: Cloud",
+        "Use Case: Threat Detection",
+        "Use Case: UEBA",        
+        "Tactic: Execution",
+        "Rule Type: BBR",
+        "Data Source: Github"
+        ]
+timestamp_override = "event.ingested"
+type = "new_terms"
+
+query = '''
+event.dataset:"github.audit" and event.category:"configuration" and
+github.repo:* and user.name:* and 
+github.repository_public:false
+'''
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1648"
+name = "Serverless Execution"
+reference = "https://attack.mitre.org/techniques/T1648/"
+
+
+[rule.threat.tactic]
+id = "TA0002"
+name = "Execution"
+reference = "https://attack.mitre.org/tactics/TA0002/"
+
+
+[rule.new_terms]
+field = "new_terms_fields"
+value = ["user.name", "github.repo"]
+
+[[rule.new_terms.history_window_start]]
+field = "history_window_start"
+value = "now-14d"

rules_building_block/execution_github_repo_created.toml

@@ -0,0 +1,49 @@
+[metadata]
+bypass_bbr_timing = true
+creation_date = "2023/10/11"
+integration = ["github"]
+maturity = "production"
+min_stack_comments = "New fields added: required_fields, related_integrations, setup"
+min_stack_version = "8.3.0"
+updated_date = "2023/12/14"
+
+[rule]
+author = ["Elastic"]
+building_block_type = "default"
+description = """
+A new GitHub repository was created.
+"""
+from = "now-9m"
+index = ["logs-github.audit-*"]
+language = "eql"
+license = "Elastic License v2"
+name = "GitHub Repo Created"
+risk_score = 21
+rule_id = "6cea88e4-6ce2-4238-9981-a54c140d6336"
+severity = "low"
+tags = ["Domain: Cloud",
+        "Use Case: Threat Detection",
+        "Use Case: UEBA",        
+        "Tactic: Execution",
+        "Rule Type: BBR",
+        "Data Source: Github"
+        ]
+timestamp_override = "event.ingested"
+type = "eql"
+
+query = '''
+configuration where event.dataset == "github.audit" and event.action == "repo.create"
+'''
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1648"
+name = "Serverless Execution"
+reference = "https://attack.mitre.org/techniques/T1648/"
+
+
+[rule.threat.tactic]
+id = "TA0002"
+name = "Execution"
+reference = "https://attack.mitre.org/tactics/TA0002/"

rules_building_block/execution_github_repo_interaction_from_new_ip.toml

@@ -0,0 +1,60 @@
+[metadata]
+creation_date = "2023/10/11"
+integration = ["github"]
+maturity = "production"
+min_stack_comments = "New fields added to GitHub Integration"
+min_stack_version = "8.8.0"
+updated_date = "2023/12/14"
+bypass_bbr_timing = true
+
+[rule]
+author = ["Elastic"]
+building_block_type = "default"
+description = """
+Detects an interaction with a private GitHub repository from a new IP address not seen in the last 14 days.
+"""
+from = "now-9m"
+index = ["logs-github.audit-*"]
+language = "kuery"
+license = "Elastic License v2"
+name = "First Occurrence of GitHub Repo Interaction From a New IP"
+risk_score = 21
+rule_id = "0294f105-d7af-4a02-ae90-35f56763ffa2"
+severity = "low"
+tags = ["Domain: Cloud",
+        "Use Case: Threat Detection",
+        "Use Case: UEBA",        
+        "Tactic: Execution",
+        "Rule Type: BBR",
+        "Data Source: Github"
+        ]
+timestamp_override = "event.ingested"
+type = "new_terms"
+
+query = '''
+event.dataset:"github.audit" and event.category:"configuration" and
+github.actor_ip:* and github.repo:* and 
+github.repository_public:false
+'''
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1648"
+name = "Serverless Execution"
+reference = "https://attack.mitre.org/techniques/T1648/"
+
+
+[rule.threat.tactic]
+id = "TA0002"
+name = "Execution"
+reference = "https://attack.mitre.org/tactics/TA0002/"
+
+
+[rule.new_terms]
+field = "new_terms_fields"
+value = ["github.repo", "github.actor_ip"]
+
+[[rule.new_terms.history_window_start]]
+field = "history_window_start"
+value = "now-14d"

rules_building_block/impact_github_member_removed_from_organization.toml

@@ -0,0 +1,49 @@
+[metadata]
+creation_date = "2023/10/11"
+integration = ["github"]
+maturity = "production"
+min_stack_comments = "New fields added: required_fields, related_integrations, setup"
+min_stack_version = "8.3.0"
+updated_date = "2023/12/21"
+bypass_bbr_timing = true
+
+[rule]
+author = ["Elastic"]
+building_block_type = "default"
+description = """
+A member was removed or their invitation to join was removed from a GitHub Organization.
+"""
+from = "now-9m"
+index = ["logs-github.audit-*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Member Removed From GitHub Organization"
+risk_score = 21
+rule_id = "095b6a58-8f88-4b59-827c-ab584ad4e759"
+severity = "low"
+tags = ["Domain: Cloud",
+        "Use Case: Threat Detection",
+        "Use Case: UEBA",        
+        "Tactic: Impact",
+        "Rule Type: BBR",       
+        "Data Source: Github"
+        ]
+timestamp_override = "event.ingested"
+type = "eql"
+
+query = '''
+configuration where event.dataset == "github.audit" and event.action == "org.remove_member"
+'''
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1531"
+name = "Account Access Removal"
+reference = "https://attack.mitre.org/techniques/T1531/"
+
+
+[rule.threat.tactic]
+id = "TA0040"
+name = "Impact"
+reference = "https://attack.mitre.org/tactics/TA0040/"

rules_building_block/impact_github_pat_access_revoked.toml

@@ -0,0 +1,49 @@
+[metadata]
+creation_date = "2023/10/11"
+integration = ["github"]
+maturity = "production"
+min_stack_comments = "New fields added: required_fields, related_integrations, setup"
+min_stack_version = "8.3.0"
+updated_date = "2023/12/14"
+bypass_bbr_timing = true
+
+[rule]
+author = ["Elastic"]
+building_block_type = "default"
+description = """
+Access to private GitHub organization resources was revoked for a PAT.
+"""
+from = "now-9m"
+index = ["logs-github.audit-*"]
+language = "eql"
+license = "Elastic License v2"
+name = "GitHub PAT Access Revoked"
+risk_score = 21
+rule_id = "8a0fd93a-7df8-410d-8808-4cc5e340f2b9"
+severity = "low"
+tags = ["Domain: Cloud",
+        "Use Case: Threat Detection",
+        "Use Case: UEBA",        
+        "Tactic: Impact",
+        "Rule Type: BBR",
+        "Data Source: Github"
+        ]
+timestamp_override = "event.ingested"
+type = "eql"
+
+query = '''
+configuration where event.dataset == "github.audit" and event.action == "personal_access_token.access_revoked"
+'''
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1531"
+name = "Account Access Removal"
+reference = "https://attack.mitre.org/techniques/T1531/"
+
+
+[rule.threat.tactic]
+id = "TA0040"
+name = "Impact"
+reference = "https://attack.mitre.org/tactics/TA0040/"

rules_building_block/impact_github_user_blocked_from_organization.toml

@@ -0,0 +1,49 @@
+[metadata]
+creation_date = "2023/10/11"
+integration = ["github"]
+maturity = "production"
+min_stack_comments = "New fields added: required_fields, related_integrations, setup"
+min_stack_version = "8.3.0"
+updated_date = "2023/12/14"
+bypass_bbr_timing = true
+
+[rule]
+author = ["Elastic"]
+building_block_type = "default"
+description = """
+A GitHub user was blocked from access to an organization.
+"""
+from = "now-9m"
+index = ["logs-github.audit-*"]
+language = "eql"
+license = "Elastic License v2"
+name = "GitHub User Blocked From Organization"
+risk_score = 21
+rule_id = "4030c951-448a-4017-a2da-ed60f6d14f4f"
+severity = "low"
+tags = ["Domain: Cloud",
+        "Use Case: Threat Detection",
+        "Use Case: UEBA",        
+        "Tactic: Impact",
+        "Rule Type: BBR",
+        "Data Source: Github"
+        ]
+timestamp_override = "event.ingested"
+type = "eql"
+
+query = '''
+configuration where event.dataset == "github.audit" and event.action == "org.block_user"
+'''
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1531"
+name = "Account Access Removal"
+reference = "https://attack.mitre.org/techniques/T1531/"
+
+
+[rule.threat.tactic]
+id = "TA0040"
+name = "Impact"
+reference = "https://attack.mitre.org/tactics/TA0040/"

rules_building_block/initial_access_github_new_ip_address_for_pat.toml

@@ -0,0 +1,62 @@
+[metadata]
+creation_date = "2023/10/11"
+integration = ["github"]
+maturity = "production"
+min_stack_comments = "New fields added to GitHub Integration"
+min_stack_version = "8.8.0"
+updated_date = "2023/12/14"
+bypass_bbr_timing = true
+
+[rule]
+author = ["Elastic"]
+building_block_type = "default"
+description = """
+Detects a new IP address used for a GitHub PAT not previously seen in the last 14 days.
+"""
+from = "now-9m"
+index = ["logs-github.audit-*"]
+language = "kuery"
+license = "Elastic License v2"
+name = "First Occurrence of IP Address For GitHub Personal Access Token (PAT)"
+risk_score = 21
+rule_id = "fc909baa-fb34-4c46-9691-be276ef4234c"
+severity = "low"
+tags = ["Domain: Cloud",
+        "Use Case: Threat Detection",
+        "Use Case: UEBA",        
+        "Tactic: Initial Access",
+        "Rule Type: BBR",
+        "Data Source: Github"
+        ]
+timestamp_override = "event.ingested"
+type = "new_terms"
+
+query = '''
+event.dataset:"github.audit" and event.category:"configuration" and
+github.actor_ip:* and github.hashed_token:* and
+github.programmatic_access_type:("OAuth access token" or "Fine-grained personal access token")
+'''
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1078"
+name = "Valid Accounts"
+reference = "https://attack.mitre.org/techniques/T1078/"
+[[rule.threat.technique.subtechnique]]
+id = "T1078.004"
+name = "Cloud Accounts"
+reference = "https://attack.mitre.org/techniques/T1078/004/"
+
+[rule.threat.tactic]
+id = "TA0001"
+name = "Initial Access"
+reference = "https://attack.mitre.org/tactics/TA0001/"
+
+[rule.new_terms]
+field = "new_terms_fields"
+value = ["github.hashed_token", "github.actor_ip"]
+
+[[rule.new_terms.history_window_start]]
+field = "history_window_start"
+value = "now-14d"

rules_building_block/initial_access_github_new_ip_address_for_user.toml

@@ -0,0 +1,61 @@
+[metadata]
+creation_date = "2023/10/11"
+integration = ["github"]
+maturity = "production"
+min_stack_comments = "New fields added to GitHub Integration"
+min_stack_version = "8.8.0"
+updated_date = "2023/12/14"
+bypass_bbr_timing = true
+
+[rule]
+author = ["Elastic"]
+building_block_type = "default"
+description = """
+Detects a new IP address used for a GitHub user not previously seen in the last 14 days.
+"""
+from = "now-9m"
+index = ["logs-github.audit-*"]
+language = "kuery"
+license = "Elastic License v2"
+name = "First Occurrence of IP Address For GitHub User"
+risk_score = 21
+rule_id = "3af4cb9b-973f-4c54-be2b-7623c0e21b2b"
+severity = "low"
+tags = ["Domain: Cloud",
+        "Use Case: Threat Detection",
+        "Use Case: UEBA",        
+        "Tactic: Initial Access",
+        "Rule Type: BBR",
+        "Data Source: Github"
+        ]
+timestamp_override = "event.ingested"
+type = "new_terms"
+
+query = '''
+event.dataset:"github.audit" and event.category:"configuration" and
+github.actor_ip:* and user.name:*
+'''
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1078"
+name = "Valid Accounts"
+reference = "https://attack.mitre.org/techniques/T1078/"
+[[rule.threat.technique.subtechnique]]
+id = "T1078.004"
+name = "Cloud Accounts"
+reference = "https://attack.mitre.org/techniques/T1078/004/"
+
+[rule.threat.tactic]
+id = "TA0001"
+name = "Initial Access"
+reference = "https://attack.mitre.org/tactics/TA0001/"
+
+[rule.new_terms]
+field = "new_terms_fields"
+value = ["user.name", "github.actor_ip"]
+
+[[rule.new_terms.history_window_start]]
+field = "history_window_start"
+value = "now-14d"

rules_building_block/initial_access_github_new_user_agent_for_pat.toml

@@ -0,0 +1,62 @@
+[metadata]
+creation_date = "2023/10/11"
+integration = ["github"]
+maturity = "production"
+min_stack_comments = "New fields added to GitHub Integration"
+min_stack_version = "8.8.0"
+updated_date = "2023/12/14"
+bypass_bbr_timing = true
+
+[rule]
+author = ["Elastic"]
+building_block_type = "default"
+description = """
+Detects a new user agent used for a GitHub PAT not previously seen in the last 14 days.
+"""
+from = "now-9m"
+index = ["logs-github.audit-*"]
+language = "kuery"
+license = "Elastic License v2"
+name = "First Occurrence of User Agent For a GitHub Personal Access Token (PAT)"
+risk_score = 21
+rule_id = "0e4367a0-a483-439d-ad2e-d90500b925fd"
+severity = "low"
+tags = ["Domain: Cloud",
+        "Use Case: Threat Detection",
+        "Use Case: UEBA",        
+        "Tactic: Initial Access",
+        "Rule Type: BBR",
+        "Data Source: Github"
+        ]
+timestamp_override = "event.ingested"
+type = "new_terms"
+
+query = '''
+event.dataset:"github.audit" and event.category:"configuration" and
+github.user_agent:* and github.hashed_token:* and
+github.programmatic_access_type:("OAuth access token" or "Fine-grained personal access token")
+'''
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1078"
+name = "Valid Accounts"
+reference = "https://attack.mitre.org/techniques/T1078/"
+[[rule.threat.technique.subtechnique]]
+id = "T1078.004"
+name = "Cloud Accounts"
+reference = "https://attack.mitre.org/techniques/T1078/004/"
+
+[rule.threat.tactic]
+id = "TA0001"
+name = "Initial Access"
+reference = "https://attack.mitre.org/tactics/TA0001/"
+
+[rule.new_terms]
+field = "new_terms_fields"
+value = ["github.hashed_token", "github.user_agent"]
+
+[[rule.new_terms.history_window_start]]
+field = "history_window_start"
+value = "now-14d"

rules_building_block/initial_access_github_new_user_agent_for_user.toml

@@ -0,0 +1,61 @@
+[metadata]
+creation_date = "2023/10/11"
+integration = ["github"]
+maturity = "production"
+min_stack_comments = "New fields added to GitHub Integration"
+min_stack_version = "8.8.0"
+updated_date = "2023/12/14"
+bypass_bbr_timing = true
+
+[rule]
+author = ["Elastic"]
+building_block_type = "default"
+description = """
+Detects a new user agent used for a GitHub user not previously seen in the last 14 days.
+"""
+from = "now-9m"
+index = ["logs-github.audit-*"]
+language = "kuery"
+license = "Elastic License v2"
+name = "First Occurrence of User-Agent For a GitHub User"
+risk_score = 21
+rule_id = "41761cd3-380f-4d4d-89f3-46d6853ee35d"
+severity = "low"
+tags = ["Domain: Cloud",
+        "Use Case: Threat Detection",
+        "Use Case: UEBA",        
+        "Tactic: Initial Access",
+        "Rule Type: BBR",
+        "Data Source: Github"
+        ]
+timestamp_override = "event.ingested"
+type = "new_terms"
+
+query = '''
+event.dataset:"github.audit" and event.category:"configuration" and
+github.user_agent:* and user.name:*
+'''
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1078"
+name = "Valid Accounts"
+reference = "https://attack.mitre.org/techniques/T1078/"
+[[rule.threat.technique.subtechnique]]
+id = "T1078.004"
+name = "Cloud Accounts"
+reference = "https://attack.mitre.org/techniques/T1078/004/"
+
+[rule.threat.tactic]
+id = "TA0001"
+name = "Initial Access"
+reference = "https://attack.mitre.org/tactics/TA0001/"
+
+[rule.new_terms]
+field = "new_terms_fields"
+value = ["user.name", "github.user_agent"]
+
+[[rule.new_terms.history_window_start]]
+field = "history_window_start"
+value = "now-14d"

rules_building_block/persistence_github_new_pat_for_user.toml

@@ -0,0 +1,62 @@
+[metadata]
+creation_date = "2023/10/11"
+integration = ["github"]
+maturity = "production"
+min_stack_comments = "New fields added to GitHub Integration"
+min_stack_version = "8.8.0"
+updated_date = "2023/12/14"
+bypass_bbr_timing = true
+
+[rule]
+author = ["Elastic"]
+building_block_type = "default"
+description = """
+A new PAT was used for a GitHub user not previously seen in the last 14 days.
+"""
+from = "now-9m"
+index = ["logs-github.audit-*"]
+language = "kuery"
+license = "Elastic License v2"
+name = "First Occurrence of Personal Access Token (PAT) Use For a GitHub User"
+risk_score = 21
+rule_id = "f94e898e-94f1-4545-8923-03e4b2866211"
+severity = "low"
+tags = ["Domain: Cloud",
+        "Use Case: Threat Detection",
+        "Use Case: UEBA",        
+        "Tactic: Persistence",
+        "Rule Type: BBR",
+        "Data Source: Github"
+        ]
+timestamp_override = "event.ingested"
+type = "new_terms"
+
+query = '''
+event.dataset:"github.audit" and event.category:"configuration" and
+github.hashed_token:* and user.name:* and
+github.programmatic_access_type:("OAuth access token" or "Fine-grained personal access token")
+'''
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1098"
+name = "Account Manipulation"
+reference = "https://attack.mitre.org/techniques/T1098/"
+[[rule.threat.technique.subtechnique]]
+id = "T1098.001"
+name = "Additional Cloud Credentials"
+reference = "https://attack.mitre.org/techniques/T1098/001/"
+
+[rule.threat.tactic]
+id = "TA0003"
+name = "Persistence"
+reference = "https://attack.mitre.org/tactics/TA0003/"
+
+[rule.new_terms]
+field = "new_terms_fields"
+value = ["user.name", "github.hashed_token"]
+
+[[rule.new_terms.history_window_start]]
+field = "history_window_start"
+value = "now-14d"

rules_building_block/persistence_github_new_user_added_to_organization.toml

@@ -0,0 +1,52 @@
+[metadata]
+creation_date = "2023/10/11"
+integration = ["github"]
+maturity = "production"
+min_stack_comments = "New fields added: required_fields, related_integrations, setup"
+min_stack_version = "8.3.0"
+updated_date = "2023/12/21"
+bypass_bbr_timing = true
+
+[rule]
+author = ["Elastic"]
+building_block_type = "default"
+description = """
+A new user was added to a GitHub organization.
+"""
+from = "now-9m"
+index = ["logs-github.audit-*"]
+language = "eql"
+license = "Elastic License v2"
+name = "New User Added To GitHub Organization"
+risk_score = 21
+rule_id = "61336fe6-c043-4743-ab6e-41292f439603"
+severity = "low"
+tags = ["Domain: Cloud",
+        "Use Case: Threat Detection",
+        "Use Case: UEBA",
+        "Tactic: Persistence",
+        "Rule Type: BBR",
+        "Data Source: Github"
+        ]
+timestamp_override = "event.ingested"
+type = "eql"
+
+query = '''
+configuration where event.dataset == "github.audit" and event.action == "org.add_member"
+'''
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1098"
+name = "Account Manipulation"
+reference = "https://attack.mitre.org/techniques/T1098/"
+[[rule.threat.technique.subtechnique]]
+id = "T1098.001"
+name = "Additional Cloud Credentials"
+reference = "https://attack.mitre.org/techniques/T1098/001/"
+
+[rule.threat.tactic]
+id = "TA0003"
+name = "Persistence"
+reference = "https://attack.mitre.org/tactics/TA0003/"