[metadata]
creation_date = "2023/12/16"
integration = ["github"]
maturity = "production"
updated_date = "2025/12/16"

[rule]
author = ["Elastic"]
description = """
Detects when a new GitHub Personal Access Token (PAT) is created. Adversaries may create new PATs to maintain
persistent access to a compromised account or to escalate privileges within an organization.
"""
from = "now-9m"
index = ["logs-github.audit-*"]
language = "eql"
license = "Elastic License v2"
name = "New GitHub Personal Access Token (PAT) Added"
references = [
    "https://www.wiz.io/blog/shai-hulud-2-0-ongoing-supply-chain-attack",
    "https://trigger.dev/blog/shai-hulud-postmortem",
    "https://posthog.com/blog/nov-24-shai-hulud-attack-post-mortem",
]
risk_score = 21
rule_id = "214d4e03-90b0-4813-9ab6-672b47158590"
severity = "low"
tags = [
    "Domain: Cloud",
    "Use Case: Threat Detection",
    "Tactic: Persistence",
    "Tactic: Credential Access",
    "Data Source: Github",
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
configuration where event.dataset == "github.audit" and github.operation_type == "create" and
github.category == "personal_access_token" and event.action == "personal_access_token.access_granted"
'''

[[rule.threat]]
framework = "MITRE ATT&CK"

[[rule.threat.technique]]
id = "T1136"
name = "Create Account"
reference = "https://attack.mitre.org/techniques/T1136/"

[[rule.threat.technique.subtechnique]]
id = "T1136.003"
name = "Cloud Account"
reference = "https://attack.mitre.org/techniques/T1136/003/"

[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"

[[rule.threat]]
framework = "MITRE ATT&CK"

[[rule.threat.technique]]
id = "T1528"
name = "Steal Application Access Token"
reference = "https://attack.mitre.org/techniques/T1528/"

[rule.threat.tactic]
id = "TA0006"
name = "Credential Access"
reference = "https://attack.mitre.org/tactics/TA0006/"