security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
724e34ba95ffb48d13e18a91c547800986164572
sigma-rules/rules/integrations/github/persistence_organization_owner_role_granted.toml
T
Isai 9593412847 [New Rule] GitHub Owner Role Granted to User (#3087) 
* [New Rule] GitHub Owner Role Granted to User

new rule

* Update persistence_organization_owner_role_granted.toml

* updated integration schema

* changed timestamp_override

* Apply suggestions from code review

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
2023-10-06 15:44:04 -04:00

48 lines
1.5 KiB
TOML
Raw Blame History

[metadata]
creation_date = "2023/09/11"
integration = ["github"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/09/11"
[rule]
author = ["Elastic"]
description = """
This rule detects when a member is granted the organization owner role of a GitHub organization.
This role provides admin level privileges. Any new owner role should be investigated to determine its validity.
Unauthorized owner roles could indicate compromise within your organization and provide unlimited access to data and settings.
"""
from = "now-9m"
index = ["logs-github.audit-*"]
language = "eql"
license = "Elastic License v2"
name = "GitHub Owner Role Granted To User"
risk_score = 47
rule_id = "9b343b62-d173-4cfd-bd8b-e6379f964ca4"
severity = "medium"
tags = ["Domain: Cloud", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Github"]
timestamp_override = "event.ingested"
type = "eql"
query = '''
iam where event.dataset == "github.audit" and event.action == "org.update_member" and github.permission == "admin"
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1098"
name = "Account Manipulation"
reference = "https://attack.mitre.org/techniques/T1098/"
[[rule.threat.technique.subtechnique]]
id = "T1098.003"
name = "Additional Cloud Roles"
reference = "https://attack.mitre.org/techniques/T1098/003/"
[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"
Reference in New Issue View Git Blame Copy Permalink