[New Rules] UEBA GItHub BBRs and Rules (#3174)

* [New Rules] UEBA GItHub BBRs and Rules

A new set of BBRs and rules that will be used to trigger new UEBA GitHub threshold Rules.

* Update rules/integrations/github/impact_github_member_removed_from_organization.toml

* Apply suggestions from code review

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* edited BBR rules

-removed newly added member rule

* updated integration manifests and schemas

* Updated min_stack for some rules based on newest GitHub integration schema manifest

* testing min_stack bump to 8.8 for new fields

* removing offending rule to troubleshoot seperately

* added UEBA tags and created UEBA threshold rule

* updated non-ecs-schema to add signal.rule.tags

* updated non-ecs-schema with kibana.alert.workflow_status

* updated rule.threat.tactic

* added user.name to non-ecs-schema

* added quotes to kibana.alert.workflow_status value

* removed trailing space from rule name

* update tags and optimize query for UEBA threshold rule

* removed integration field from Higher-Order rule

* Apply suggestions from code review

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* adjusted new_terms order and rule types based on review feedback

* Apply suggestions from code review

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* remove user.name from detection_rules/etc/non-ecs-schema.json

* fix json formatting

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

(cherry picked from commit 442435830f)

rules/integrations/github/execution_github_app_deleted.toml

@@ -0,0 +1,45 @@
+[metadata]
+creation_date = "2023/10/11"
+integration = ["github"]
+maturity = "production"
+min_stack_comments = "New fields added: required_fields, related_integrations, setup"
+min_stack_version = "8.3.0"
+updated_date = "2023/10/11"
+
+[rule]
+author = ["Elastic"]
+description = """
+Detects the deletion of a GitHub app either from a repo or an organization.
+"""
+from = "now-9m"
+index = ["logs-github.audit-*"]
+language = "eql"
+license = "Elastic License v2"
+name = "GitHub App Deleted"
+risk_score = 21
+rule_id = "fd01b949-81be-46d5-bcf8-284395d5f56d"
+severity = "low"
+tags = ["Domain: Cloud",
+        "Use Case: Threat Detection",
+        "Tactic: Execution",
+        "Data Source: Github"
+        ]
+timestamp_override = "event.ingested"
+type = "eql"
+
+query = '''
+configuration where event.dataset == "github.audit" and github.category == "integration_installation" and event.type == "deletion"
+'''
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1648"
+name = "Serverless Execution"
+reference = "https://attack.mitre.org/techniques/T1648/"
+
+
+[rule.threat.tactic]
+id = "TA0002"
+name = "Execution"
+reference = "https://attack.mitre.org/tactics/TA0002/"

rules/integrations/github/execution_github_high_number_of_cloned_repos_from_pat.toml

@@ -0,0 +1,56 @@
+[metadata]
+creation_date = "2023/10/11"
+integration = ["github"]
+maturity = "production"
+min_stack_comments = "New fields added to GitHub Integration"
+min_stack_version = "8.8.0"
+updated_date = "2023/12/14"
+
+[rule]
+author = ["Elastic"]
+description = """
+Detects a high number of unique private repo clone events originating from a single personal access token within a short time period.
+"""
+from = "now-6m"
+index = ["logs-github.audit-*"]
+language = "kuery"
+license = "Elastic License v2"
+name = "High Number of Cloned GitHub Repos From PAT"
+risk_score = 21
+rule_id = "fb0afac5-bbd6-49b0-b4f8-44e5381e1587"
+severity = "low"
+tags = ["Domain: Cloud",
+        "Use Case: Threat Detection",
+        "Use Case: UEBA",        
+        "Tactic: Execution",
+        "Data Source: Github"
+        ]
+timestamp_override = "event.ingested"
+type = "threshold"
+
+query = '''
+event.dataset:"github.audit" and event.category:"configuration" and event.action:"git.clone" and 
+github.programmatic_access_type:("OAuth access token" or "Fine-grained personal access token") and 
+github.repository_public:false
+'''
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1648"
+name = "Serverless Execution"
+reference = "https://attack.mitre.org/techniques/T1648/"
+
+
+[rule.threat.tactic]
+id = "TA0002"
+name = "Execution"
+reference = "https://attack.mitre.org/tactics/TA0002/"
+
+[rule.threshold]
+field = ["github.hashed_token"]
+value = 1
+
+[[rule.threshold.cardinality]]
+field = "github.repo"
+value = 10

rules/integrations/github/execution_github_ueba_multiple_behavior_alerts_from_account.toml

@@ -0,0 +1,52 @@
+[metadata]
+creation_date = "2023/12/14"
+maturity = "production"
+min_stack_comments = "New fields added: required_fields, related_integrations, setup"
+min_stack_version = "8.3.0"
+updated_date = "2023/12/18"
+
+[rule]
+author = ["Elastic"]
+description = """
+This rule is part of the "GitHub UEBA - Unusual Activity from Account Pack", and leverages alert data to
+determine when multiple alerts are executed by the same user in a timespan of one hour. 
+Analysts can use this to prioritize triage and response, as these alerts are a higher indicator of compromised user
+accounts or PATs.
+"""
+from = "now-60m"
+index = [".alerts-security.*"]
+language = "kuery"
+license = "Elastic License v2"
+name = "GitHub UEBA - Multiple Alerts from a GitHub Account"
+risk_score = 47
+rule_id = "929223b4-fba3-4a1c-a943-ec4716ad23ec"
+severity = "medium"
+tags = ["Domain: Cloud",
+        "Use Case: Threat Detection",
+        "Use Case: UEBA",
+        "Tactic: Execution",
+        "Rule Type: Higher-Order Rule",
+        "Data Source: Github"
+        ]
+timestamp_override = "event.ingested"
+type = "threshold"
+
+query = '''
+signal.rule.tags:("Use Case: UEBA" and "Data Source: Github") and kibana.alert.workflow_status:"open"
+'''
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+[rule.threat.tactic]
+id = "TA0002"
+name = "Execution"
+reference = "https://attack.mitre.org/tactics/TA0002/"
+
+[rule.threshold]
+field = ["user.name"]
+value = 1
+
+[[rule.threshold.cardinality]]
+field = "signal.rule.name"
+value = 5

rules/integrations/github/impact_github_repository_deleted.toml

@@ -4,7 +4,7 @@ integration = ["github"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/08/29"
+updated_date = "2023/12/14"
 
 [rule]
 author = ["Elastic"]
@@ -24,7 +24,12 @@ name = "GitHub Repository Deleted"
 risk_score = 47
 rule_id = "345889c4-23a8-4bc0-b7ca-756bd17ce83b"
 severity = "medium"
-tags = ["Domain: Cloud", "Use Case: Threat Detection", "Tactic: Impact", "Data Source: Github"]
+tags = ["Domain: Cloud", 
+        "Use Case: Threat Detection", 
+        "Use Case: UEBA",        
+        "Tactic: Impact", 
+        "Data Source: Github"
+        ]
 timestamp_override = "event.ingested"
 type = "eql"
 query = '''
@@ -44,4 +49,3 @@ reference = "https://attack.mitre.org/techniques/T1485/"
 id = "TA0040"
 name = "Impact"
 reference = "https://attack.mitre.org/tactics/TA0040/"
-

rules/integrations/github/persistence_github_org_owner_added.toml

@@ -4,7 +4,7 @@ integration = ["github"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/09/11"
+updated_date = "2023/12/14"
 
 [rule]
 author = ["Elastic"]
@@ -21,7 +21,12 @@ name = "New GitHub Owner Added"
 risk_score = 47
 rule_id = "24401eca-ad0b-4ff9-9431-487a8e183af9"
 severity = "medium"
-tags = ["Domain: Cloud", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Github"]
+tags = ["Domain: Cloud", 
+        "Use Case: Threat Detection",
+        "Use Case: UEBA",        
+        "Tactic: Persistence", 
+        "Data Source: Github"
+        ]
 timestamp_override = "event.ingested"
 type = "eql"
 query = '''

rules/integrations/github/persistence_organization_owner_role_granted.toml

@@ -4,7 +4,7 @@ integration = ["github"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/09/11"
+updated_date = "2023/12/14"
 
 [rule]
 author = ["Elastic"]
@@ -21,7 +21,12 @@ name = "GitHub Owner Role Granted To User"
 risk_score = 47
 rule_id = "9b343b62-d173-4cfd-bd8b-e6379f964ca4"
 severity = "medium"
-tags = ["Domain: Cloud", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Github"]
+tags = ["Domain: Cloud", 
+        "Use Case: Threat Detection",
+        "Use Case: UEBA",        
+        "Tactic: Persistence", 
+        "Data Source: Github"
+        ]
 timestamp_override = "event.ingested"
 type = "eql"
 query = '''