security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[New Rules] UEBA GItHub BBRs and Rules (#3174)

Browse Source 
* [New Rules] UEBA GItHub BBRs and Rules

A new set of BBRs and rules that will be used to trigger new UEBA GitHub threshold Rules.

* Update rules/integrations/github/impact_github_member_removed_from_organization.toml

* Apply suggestions from code review

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* edited BBR rules

-removed newly added member rule

* updated integration manifests and schemas

* Updated min_stack for some rules based on newest GitHub integration schema manifest

* testing min_stack bump to 8.8 for new fields

* removing offending rule to troubleshoot seperately

* added UEBA tags and created UEBA threshold rule

* updated non-ecs-schema to add signal.rule.tags

* updated non-ecs-schema with kibana.alert.workflow_status

* updated rule.threat.tactic

* added user.name to non-ecs-schema

* added quotes to kibana.alert.workflow_status value

* removed trailing space from rule name

* update tags and optimize query for UEBA threshold rule

* removed integration field from Higher-Order rule

* Apply suggestions from code review

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* adjusted new_terms order and rule types based on review feedback

* Apply suggestions from code review

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* remove user.name from detection_rules/etc/non-ecs-schema.json

* fix json formatting

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

(cherry picked from commit 442435830f)
This commit is contained in:
Isai
2024-01-22 12:48:31 -05:00
committed by github-actions[bot]
parent 1160a91bb9
commit f0028e1457
21 changed files with 973 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/integrations/github/execution_github_app_deleted.toml
+45
View File
@@ -0,0 +1,45 @@
[metadata]
creation_date = "2023/10/11"
integration = ["github"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/10/11"
[rule]
author = ["Elastic"]
description = """
Detects the deletion of a GitHub app either from a repo or an organization.
"""
from = "now-9m"
index = ["logs-github.audit-*"]
language = "eql"
license = "Elastic License v2"
name = "GitHub App Deleted"
risk_score = 21
rule_id = "fd01b949-81be-46d5-bcf8-284395d5f56d"
severity = "low"
tags = ["Domain: Cloud",
"Use Case: Threat Detection",
"Tactic: Execution",
"Data Source: Github"
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
configuration where event.dataset == "github.audit" and github.category == "integration_installation" and event.type == "deletion"
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1648"
name = "Serverless Execution"
reference = "https://attack.mitre.org/techniques/T1648/"
[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"