security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Back-porting Version Trimming (#3704)

Browse Source
This commit is contained in:
shashank-elastic
2024-05-23 00:45:10 +05:30
committed by GitHub
parent 2c3dbfc039
commit 63e91c2f12
1016 changed files with 12005 additions and 11259 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/integrations/github/defense_evasion_github_protected_branch_settings_changed.toml
+8 -9
View File
@@ -2,18 +2,15 @@
creation_date = "2023/08/29"
integration = ["github"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/08/30"
updated_date = "2024/05/21"
[rule]
author = ["Elastic"]
description = """
This rule detects setting modifications for protected branches of a GitHub repository. Branch protection rules
can be used to enforce certain workflows or requirements before a contributor can push changes to a branch in
your repository. Changes to these protected branch settings should be investigated and verified as legitimate
activity. Unauthorized changes could be used to lower your organization's security posture and leave you exposed
for future attacks.
This rule detects setting modifications for protected branches of a GitHub repository. Branch protection rules can be
used to enforce certain workflows or requirements before a contributor can push changes to a branch in your repository.
Changes to these protected branch settings should be investigated and verified as legitimate activity. Unauthorized
changes could be used to lower your organization's security posture and leave you exposed for future attacks.
"""
from = "now-9m"
index = ["logs-github.audit-*"]
@@ -26,11 +23,13 @@ severity = "medium"
tags = ["Domain: Cloud", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Github"]
timestamp_override = "event.ingested"
type = "eql"
query = '''
configuration where event.dataset == "github.audit"
and github.category == "protected_branch" and event.type == "change"
and github.category == "protected_branch" and event.type == "change"
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
rules/integrations/github/execution_github_app_deleted.toml
+5 -11
View File
@@ -2,15 +2,11 @@
creation_date = "2023/10/11"
integration = ["github"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/10/11"
updated_date = "2024/05/21"
[rule]
author = ["Elastic"]
description = """
Detects the deletion of a GitHub app either from a repo or an organization.
"""
description = "Detects the deletion of a GitHub app either from a repo or an organization.\n"
from = "now-9m"
index = ["logs-github.audit-*"]
language = "eql"
@@ -19,11 +15,7 @@ name = "GitHub App Deleted"
risk_score = 21
rule_id = "fd01b949-81be-46d5-bcf8-284395d5f56d"
severity = "low"
tags = ["Domain: Cloud",
"Use Case: Threat Detection",
"Tactic: Execution",
"Data Source: Github"
]
tags = ["Domain: Cloud", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Github"]
timestamp_override = "event.ingested"
type = "eql"
@@ -31,6 +23,7 @@ query = '''
configuration where event.dataset == "github.audit" and github.category == "integration_installation" and event.type == "deletion"
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
@@ -43,3 +36,4 @@ reference = "https://attack.mitre.org/techniques/T1648/"
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"
rules/integrations/github/execution_github_high_number_of_cloned_repos_from_pat.toml
+13 -11
View File
@@ -2,14 +2,13 @@
creation_date = "2023/10/11"
integration = ["github"]
maturity = "production"
min_stack_comments = "New fields added to GitHub Integration"
min_stack_version = "8.8.0"
updated_date = "2023/12/14"
updated_date = "2024/05/21"
[rule]
author = ["Elastic"]
description = """
Detects a high number of unique private repo clone events originating from a single personal access token within a short time period.
Detects a high number of unique private repo clone events originating from a single personal access token within a short
time period.
"""
from = "now-6m"
index = ["logs-github.audit-*"]
@@ -19,12 +18,13 @@ name = "High Number of Cloned GitHub Repos From PAT"
risk_score = 21
rule_id = "fb0afac5-bbd6-49b0-b4f8-44e5381e1587"
severity = "low"
tags = ["Domain: Cloud",
"Use Case: Threat Detection",
"Use Case: UEBA",
"Tactic: Execution",
"Data Source: Github"
]
tags = [
"Domain: Cloud",
"Use Case: Threat Detection",
"Use Case: UEBA",
"Tactic: Execution",
"Data Source: Github",
]
timestamp_override = "event.ingested"
type = "threshold"
@@ -34,6 +34,7 @@ github.programmatic_access_type:("OAuth access token" or "Fine-grained personal
github.repository_public:false
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
@@ -50,7 +51,8 @@ reference = "https://attack.mitre.org/tactics/TA0002/"
[rule.threshold]
field = ["github.hashed_token"]
value = 1
[[rule.threshold.cardinality]]
field = "github.repo"
value = 10
rules/integrations/github/execution_github_ueba_multiple_behavior_alerts_from_account.toml
+15 -15
View File
@@ -1,17 +1,14 @@
[metadata]
creation_date = "2023/12/14"
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/12/18"
updated_date = "2024/05/21"
[rule]
author = ["Elastic"]
description = """
This rule is part of the "GitHub UEBA - Unusual Activity from Account Pack", and leverages alert data to
determine when multiple alerts are executed by the same user in a timespan of one hour.
Analysts can use this to prioritize triage and response, as these alerts are a higher indicator of compromised user
accounts or PATs.
This rule is part of the "GitHub UEBA - Unusual Activity from Account Pack", and leverages alert data to determine when
multiple alerts are executed by the same user in a timespan of one hour. Analysts can use this to prioritize triage and
response, as these alerts are a higher indicator of compromised user accounts or PATs.
"""
from = "now-60m"
index = [".alerts-security.*"]
@@ -21,13 +18,14 @@ name = "GitHub UEBA - Multiple Alerts from a GitHub Account"
risk_score = 47
rule_id = "929223b4-fba3-4a1c-a943-ec4716ad23ec"
severity = "medium"
tags = ["Domain: Cloud",
"Use Case: Threat Detection",
"Use Case: UEBA",
"Tactic: Execution",
"Rule Type: Higher-Order Rule",
"Data Source: Github"
]
tags = [
"Domain: Cloud",
"Use Case: Threat Detection",
"Use Case: UEBA",
"Tactic: Execution",
"Rule Type: Higher-Order Rule",
"Data Source: Github",
]
timestamp_override = "event.ingested"
type = "threshold"
@@ -35,6 +33,7 @@ query = '''
signal.rule.tags:("Use Case: UEBA" and "Data Source: Github") and kibana.alert.workflow_status:"open"
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
@@ -46,7 +45,8 @@ reference = "https://attack.mitre.org/tactics/TA0002/"
[rule.threshold]
field = ["user.name"]
value = 1
[[rule.threshold.cardinality]]
field = "signal.rule.name"
value = 5
rules/integrations/github/execution_new_github_app_installed.toml
+8 -9
View File
@@ -2,18 +2,16 @@
creation_date = "2023/08/29"
integration = ["github"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/10/03"
updated_date = "2024/05/21"
[rule]
author = ["Elastic"]
description = """
This rule detects when a new GitHub App has been installed in your organization account.
GitHub Apps extend GitHub's functionality both within and outside of GitHub.
When an app is installed it is granted permissions to read or modify your repository and organization data.
Only trusted apps should be installed and any newly installed apps should be investigated to verify their legitimacy.
Unauthorized app installation could lower your organization's security posture and leave you exposed for future attacks.
This rule detects when a new GitHub App has been installed in your organization account. GitHub Apps extend GitHub's
functionality both within and outside of GitHub. When an app is installed it is granted permissions to read or modify
your repository and organization data. Only trusted apps should be installed and any newly installed apps should be
investigated to verify their legitimacy. Unauthorized app installation could lower your organization's security posture
and leave you exposed for future attacks.
"""
from = "now-9m"
index = ["logs-github.audit-*"]
@@ -26,10 +24,12 @@ severity = "medium"
tags = ["Domain: Cloud", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Github"]
timestamp_override = "event.ingested"
type = "eql"
query = '''
configuration where event.dataset == "github.audit" and event.action == "integration_installation.create"
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
@@ -38,7 +38,6 @@ name = "Software Deployment Tools"
reference = "https://attack.mitre.org/techniques/T1072/"
[rule.threat.tactic]
id = "TA0002"
name = "Execution"
rules/integrations/github/impact_github_repository_deleted.toml
+15 -16
View File
@@ -2,19 +2,15 @@
creation_date = "2023/08/29"
integration = ["github"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/12/14"
updated_date = "2024/05/21"
[rule]
author = ["Elastic"]
description = """
This rule detects when a GitHub repository is deleted within your organization.
Repositories are a critical component used within an organization to manage work,
collaborate with others and release products to the public. Any delete action against
a repository should be investigated to determine it's validity. Unauthorized deletion
of organization repositories could cause irreversible loss of intellectual property and
indicate compromise within your organization.
This rule detects when a GitHub repository is deleted within your organization. Repositories are a critical component
used within an organization to manage work, collaborate with others and release products to the public. Any delete
action against a repository should be investigated to determine it's validity. Unauthorized deletion of organization
repositories could cause irreversible loss of intellectual property and indicate compromise within your organization.
"""
from = "now-9m"
index = ["logs-github.audit-*"]
@@ -24,18 +20,21 @@ name = "GitHub Repository Deleted"
risk_score = 47
rule_id = "345889c4-23a8-4bc0-b7ca-756bd17ce83b"
severity = "medium"
tags = ["Domain: Cloud",
"Use Case: Threat Detection",
"Use Case: UEBA",
"Tactic: Impact",
"Data Source: Github"
]
tags = [
"Domain: Cloud",
"Use Case: Threat Detection",
"Use Case: UEBA",
"Tactic: Impact",
"Data Source: Github",
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
configuration where event.module == "github" and event.action == "repo.destroy"
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
@@ -44,8 +43,8 @@ name = "Data Destruction"
reference = "https://attack.mitre.org/techniques/T1485/"
[rule.threat.tactic]
id = "TA0040"
name = "Impact"
reference = "https://attack.mitre.org/tactics/TA0040/"
rules/integrations/github/persistence_github_org_owner_added.toml
+14 -12
View File
@@ -2,16 +2,14 @@
creation_date = "2023/09/11"
integration = ["github"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/12/14"
updated_date = "2024/05/21"
[rule]
author = ["Elastic"]
description = """
Detects when a new member is added to a GitHub organization as an owner.
This role provides admin level privileges. Any new owner roles should be investigated to determine it's validity.
Unauthorized owner roles could indicate compromise within your organization and provide unlimited access to data and settings.
Detects when a new member is added to a GitHub organization as an owner. This role provides admin level privileges. Any
new owner roles should be investigated to determine it's validity. Unauthorized owner roles could indicate compromise
within your organization and provide unlimited access to data and settings.
"""
from = "now-9m"
index = ["logs-github.audit-*"]
@@ -21,18 +19,21 @@ name = "New GitHub Owner Added"
risk_score = 47
rule_id = "24401eca-ad0b-4ff9-9431-487a8e183af9"
severity = "medium"
tags = ["Domain: Cloud",
"Use Case: Threat Detection",
"Use Case: UEBA",
"Tactic: Persistence",
"Data Source: Github"
]
tags = [
"Domain: Cloud",
"Use Case: Threat Detection",
"Use Case: UEBA",
"Tactic: Persistence",
"Data Source: Github",
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
iam where event.dataset == "github.audit" and event.action == "org.add_member" and github.permission == "admin"
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
@@ -45,6 +46,7 @@ name = "Cloud Account"
reference = "https://attack.mitre.org/techniques/T1136/003/"
[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
rules/integrations/github/persistence_organization_owner_role_granted.toml
+14 -12
View File
@@ -2,16 +2,14 @@
creation_date = "2023/09/11"
integration = ["github"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/12/14"
updated_date = "2024/05/21"
[rule]
author = ["Elastic"]
description = """
This rule detects when a member is granted the organization owner role of a GitHub organization.
This role provides admin level privileges. Any new owner role should be investigated to determine its validity.
Unauthorized owner roles could indicate compromise within your organization and provide unlimited access to data and settings.
This rule detects when a member is granted the organization owner role of a GitHub organization. This role provides
admin level privileges. Any new owner role should be investigated to determine its validity. Unauthorized owner roles
could indicate compromise within your organization and provide unlimited access to data and settings.
"""
from = "now-9m"
index = ["logs-github.audit-*"]
@@ -21,18 +19,21 @@ name = "GitHub Owner Role Granted To User"
risk_score = 47
rule_id = "9b343b62-d173-4cfd-bd8b-e6379f964ca4"
severity = "medium"
tags = ["Domain: Cloud",
"Use Case: Threat Detection",
"Use Case: UEBA",
"Tactic: Persistence",
"Data Source: Github"
]
tags = [
"Domain: Cloud",
"Use Case: Threat Detection",
"Use Case: UEBA",
"Tactic: Persistence",
"Data Source: Github",
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
iam where event.dataset == "github.audit" and event.action == "org.update_member" and github.permission == "admin"
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
@@ -45,6 +46,7 @@ name = "Additional Cloud Roles"
reference = "https://attack.mitre.org/techniques/T1098/003/"
[rule.threat.tactic]
id = "TA0003"
name = "Persistence"