Ruben Groenewoud
34daf12d51
* [New Rules] Several GitHub Related Rules * Added additional references * Update defense_evasion_secret_scanning_disabled.toml * Update persistence_new_pat_created.toml * Added two more rules * ++ * Update rules/integrations/github/impact_github_repository_activity_from_unusual_ip.toml * Added github.repository_public to non_ecs * Update impact_github_repository_activity_from_unusual_ip.toml * Update rules/integrations/github/impact_high_number_of_failed_protected_branch_force_pushes_by_user.toml * ++ * Update rules/integrations/github/exfiltration_high_number_of_cloning_by_user.toml * Update rules/integrations/github/impact_high_number_of_closed_pull_requests_by_user.toml * Update rules/integrations/github/impact_high_number_of_protected_branch_force_pushes_by_user.toml * ++ --------- Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
70 lines
1.9 KiB
TOML
70 lines
1.9 KiB
TOML
[metadata]
|
|
creation_date = "2023/12/16"
|
|
integration = ["github"]
|
|
maturity = "production"
|
|
updated_date = "2025/12/16"
|
|
|
|
[rule]
|
|
author = ["Elastic"]
|
|
description = """
|
|
Detects when a new GitHub Personal Access Token (PAT) is created. Adversaries may create new PATs to maintain
|
|
persistent access to a compromised account or to escalate privileges within an organization.
|
|
"""
|
|
from = "now-9m"
|
|
index = ["logs-github.audit-*"]
|
|
language = "eql"
|
|
license = "Elastic License v2"
|
|
name = "New GitHub Personal Access Token (PAT) Added"
|
|
references = [
|
|
"https://www.wiz.io/blog/shai-hulud-2-0-ongoing-supply-chain-attack",
|
|
"https://trigger.dev/blog/shai-hulud-postmortem",
|
|
"https://posthog.com/blog/nov-24-shai-hulud-attack-post-mortem",
|
|
]
|
|
risk_score = 21
|
|
rule_id = "214d4e03-90b0-4813-9ab6-672b47158590"
|
|
severity = "low"
|
|
tags = [
|
|
"Domain: Cloud",
|
|
"Use Case: Threat Detection",
|
|
"Tactic: Persistence",
|
|
"Tactic: Credential Access",
|
|
"Data Source: Github",
|
|
]
|
|
timestamp_override = "event.ingested"
|
|
type = "eql"
|
|
query = '''
|
|
configuration where event.dataset == "github.audit" and github.operation_type == "create" and
|
|
github.category == "personal_access_token" and event.action == "personal_access_token.access_granted"
|
|
'''
|
|
|
|
[[rule.threat]]
|
|
framework = "MITRE ATT&CK"
|
|
|
|
[[rule.threat.technique]]
|
|
id = "T1136"
|
|
name = "Create Account"
|
|
reference = "https://attack.mitre.org/techniques/T1136/"
|
|
|
|
[[rule.threat.technique.subtechnique]]
|
|
id = "T1136.003"
|
|
name = "Cloud Account"
|
|
reference = "https://attack.mitre.org/techniques/T1136/003/"
|
|
|
|
[rule.threat.tactic]
|
|
id = "TA0003"
|
|
name = "Persistence"
|
|
reference = "https://attack.mitre.org/tactics/TA0003/"
|
|
|
|
[[rule.threat]]
|
|
framework = "MITRE ATT&CK"
|
|
|
|
[[rule.threat.technique]]
|
|
id = "T1528"
|
|
name = "Steal Application Access Token"
|
|
reference = "https://attack.mitre.org/techniques/T1528/"
|
|
|
|
[rule.threat.tactic]
|
|
id = "TA0006"
|
|
name = "Credential Access"
|
|
reference = "https://attack.mitre.org/tactics/TA0006/"
|