diff --git a/detection_rules/etc/non-ecs-schema.json b/detection_rules/etc/non-ecs-schema.json index fb4f8952bc1..f060727e691 100644 --- a/detection_rules/etc/non-ecs-schema.json +++ b/detection_rules/etc/non-ecs-schema.json @@ -115,8 +115,10 @@ }, ".alerts-security.*": { "signal.rule.name": "keyword", + "signal.rule.tags": "keyword", "signal.rule.threat.tactic.name": "keyword", "kibana.alert.rule.threat.tactic.id": "keyword", + "kibana.alert.workflow_status": "keyword", "kibana.alert.rule.rule_id": "keyword" }, "logs-google_workspace*": { diff --git a/rules/integrations/github/execution_github_app_deleted.toml b/rules/integrations/github/execution_github_app_deleted.toml new file mode 100644 index 00000000000..891c181759a --- /dev/null +++ b/rules/integrations/github/execution_github_app_deleted.toml @@ -0,0 +1,45 @@ +[metadata] +creation_date = "2023/10/11" +integration = ["github"] +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/10/11" + +[rule] +author = ["Elastic"] +description = """ +Detects the deletion of a GitHub app either from a repo or an organization. +""" +from = "now-9m" +index = ["logs-github.audit-*"] +language = "eql" +license = "Elastic License v2" +name = "GitHub App Deleted" +risk_score = 21 +rule_id = "fd01b949-81be-46d5-bcf8-284395d5f56d" +severity = "low" +tags = ["Domain: Cloud", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Github" + ] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +configuration where event.dataset == "github.audit" and github.category == "integration_installation" and event.type == "deletion" +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1648" +name = "Serverless Execution" +reference = "https://attack.mitre.org/techniques/T1648/" + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/integrations/github/execution_github_high_number_of_cloned_repos_from_pat.toml b/rules/integrations/github/execution_github_high_number_of_cloned_repos_from_pat.toml new file mode 100644 index 00000000000..dfa81e0277d --- /dev/null +++ b/rules/integrations/github/execution_github_high_number_of_cloned_repos_from_pat.toml @@ -0,0 +1,56 @@ +[metadata] +creation_date = "2023/10/11" +integration = ["github"] +maturity = "production" +min_stack_comments = "New fields added to GitHub Integration" +min_stack_version = "8.8.0" +updated_date = "2023/12/14" + +[rule] +author = ["Elastic"] +description = """ +Detects a high number of unique private repo clone events originating from a single personal access token within a short time period. +""" +from = "now-6m" +index = ["logs-github.audit-*"] +language = "kuery" +license = "Elastic License v2" +name = "High Number of Cloned GitHub Repos From PAT" +risk_score = 21 +rule_id = "fb0afac5-bbd6-49b0-b4f8-44e5381e1587" +severity = "low" +tags = ["Domain: Cloud", + "Use Case: Threat Detection", + "Use Case: UEBA", + "Tactic: Execution", + "Data Source: Github" + ] +timestamp_override = "event.ingested" +type = "threshold" + +query = ''' +event.dataset:"github.audit" and event.category:"configuration" and event.action:"git.clone" and +github.programmatic_access_type:("OAuth access token" or "Fine-grained personal access token") and +github.repository_public:false +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1648" +name = "Serverless Execution" +reference = "https://attack.mitre.org/techniques/T1648/" + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + +[rule.threshold] +field = ["github.hashed_token"] +value = 1 + +[[rule.threshold.cardinality]] +field = "github.repo" +value = 10 diff --git a/rules/integrations/github/execution_github_ueba_multiple_behavior_alerts_from_account.toml b/rules/integrations/github/execution_github_ueba_multiple_behavior_alerts_from_account.toml new file mode 100644 index 00000000000..2908f7b3e87 --- /dev/null +++ b/rules/integrations/github/execution_github_ueba_multiple_behavior_alerts_from_account.toml @@ -0,0 +1,52 @@ +[metadata] +creation_date = "2023/12/14" +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/12/18" + +[rule] +author = ["Elastic"] +description = """ +This rule is part of the "GitHub UEBA - Unusual Activity from Account Pack", and leverages alert data to +determine when multiple alerts are executed by the same user in a timespan of one hour. +Analysts can use this to prioritize triage and response, as these alerts are a higher indicator of compromised user +accounts or PATs. +""" +from = "now-60m" +index = [".alerts-security.*"] +language = "kuery" +license = "Elastic License v2" +name = "GitHub UEBA - Multiple Alerts from a GitHub Account" +risk_score = 47 +rule_id = "929223b4-fba3-4a1c-a943-ec4716ad23ec" +severity = "medium" +tags = ["Domain: Cloud", + "Use Case: Threat Detection", + "Use Case: UEBA", + "Tactic: Execution", + "Rule Type: Higher-Order Rule", + "Data Source: Github" + ] +timestamp_override = "event.ingested" +type = "threshold" + +query = ''' +signal.rule.tags:("Use Case: UEBA" and "Data Source: Github") and kibana.alert.workflow_status:"open" +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + +[rule.threshold] +field = ["user.name"] +value = 1 + +[[rule.threshold.cardinality]] +field = "signal.rule.name" +value = 5 diff --git a/rules/integrations/github/impact_github_repository_deleted.toml b/rules/integrations/github/impact_github_repository_deleted.toml index a3193318ce2..9eebd68aea8 100644 --- a/rules/integrations/github/impact_github_repository_deleted.toml +++ b/rules/integrations/github/impact_github_repository_deleted.toml @@ -4,7 +4,7 @@ integration = ["github"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/08/29" +updated_date = "2023/12/14" [rule] author = ["Elastic"] @@ -24,7 +24,12 @@ name = "GitHub Repository Deleted" risk_score = 47 rule_id = "345889c4-23a8-4bc0-b7ca-756bd17ce83b" severity = "medium" -tags = ["Domain: Cloud", "Use Case: Threat Detection", "Tactic: Impact", "Data Source: Github"] +tags = ["Domain: Cloud", + "Use Case: Threat Detection", + "Use Case: UEBA", + "Tactic: Impact", + "Data Source: Github" + ] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -44,4 +49,3 @@ reference = "https://attack.mitre.org/techniques/T1485/" id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" - diff --git a/rules/integrations/github/persistence_github_org_owner_added.toml b/rules/integrations/github/persistence_github_org_owner_added.toml index 3fd492d96b3..7fd963c9fe6 100644 --- a/rules/integrations/github/persistence_github_org_owner_added.toml +++ b/rules/integrations/github/persistence_github_org_owner_added.toml @@ -4,7 +4,7 @@ integration = ["github"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/09/11" +updated_date = "2023/12/14" [rule] author = ["Elastic"] @@ -21,7 +21,12 @@ name = "New GitHub Owner Added" risk_score = 47 rule_id = "24401eca-ad0b-4ff9-9431-487a8e183af9" severity = "medium" -tags = ["Domain: Cloud", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Github"] +tags = ["Domain: Cloud", + "Use Case: Threat Detection", + "Use Case: UEBA", + "Tactic: Persistence", + "Data Source: Github" + ] timestamp_override = "event.ingested" type = "eql" query = ''' diff --git a/rules/integrations/github/persistence_organization_owner_role_granted.toml b/rules/integrations/github/persistence_organization_owner_role_granted.toml index 0d757fe43f0..08adb684912 100644 --- a/rules/integrations/github/persistence_organization_owner_role_granted.toml +++ b/rules/integrations/github/persistence_organization_owner_role_granted.toml @@ -4,7 +4,7 @@ integration = ["github"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/09/11" +updated_date = "2023/12/14" [rule] author = ["Elastic"] @@ -21,7 +21,12 @@ name = "GitHub Owner Role Granted To User" risk_score = 47 rule_id = "9b343b62-d173-4cfd-bd8b-e6379f964ca4" severity = "medium" -tags = ["Domain: Cloud", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Github"] +tags = ["Domain: Cloud", + "Use Case: Threat Detection", + "Use Case: UEBA", + "Tactic: Persistence", + "Data Source: Github" + ] timestamp_override = "event.ingested" type = "eql" query = ''' diff --git a/rules_building_block/execution_github_new_event_action_for_pat.toml b/rules_building_block/execution_github_new_event_action_for_pat.toml new file mode 100644 index 00000000000..411b406a4b8 --- /dev/null +++ b/rules_building_block/execution_github_new_event_action_for_pat.toml @@ -0,0 +1,60 @@ +[metadata] +bypass_bbr_timing = true +creation_date = "2023/10/11" +integration = ["github"] +maturity = "production" +min_stack_comments = "New fields added to GitHub Integration" +min_stack_version = "8.8.0" +updated_date = "2023/12/14" + +[rule] +author = ["Elastic"] +building_block_type = "default" +description = """ +Detects a first occurrence event for a personal access token (PAT) not seen in the last 14 days. +""" +from = "now-9m" +index = ["logs-github.audit-*"] +language = "kuery" +license = "Elastic License v2" +name = "First Occurrence GitHub Event for a Personal Access Token (PAT)" +risk_score = 21 +rule_id = "ce08b55a-f67d-4804-92b5-617b0fe5a5b5" +severity = "low" +tags = ["Domain: Cloud", + "Use Case: Threat Detection", + "Use Case: UEBA", + "Tactic: Execution", + "Rule Type: BBR", + "Data Source: Github" + ] +timestamp_override = "event.ingested" +type = "new_terms" + +query = ''' +event.dataset:"github.audit" and event.category:"configuration" and +event.action:* and github.hashed_token:* and +github.programmatic_access_type:("OAuth access token" or "Fine-grained personal access token") +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1648" +name = "Serverless Execution" +reference = "https://attack.mitre.org/techniques/T1648/" + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + + +[rule.new_terms] +field = "new_terms_fields" +value = ["github.hashed_token", "event.action"] + +[[rule.new_terms.history_window_start]] +field = "history_window_start" +value = "now-14d" diff --git a/rules_building_block/execution_github_new_repo_interaction_for_pat.toml b/rules_building_block/execution_github_new_repo_interaction_for_pat.toml new file mode 100644 index 00000000000..98e6201bbf5 --- /dev/null +++ b/rules_building_block/execution_github_new_repo_interaction_for_pat.toml @@ -0,0 +1,61 @@ +[metadata] +bypass_bbr_timing = true +creation_date = "2023/10/11" +integration = ["github"] +maturity = "production" +min_stack_comments = "New fields added to GitHub Integration" +min_stack_version = "8.8.0" +updated_date = "2023/12/14" + +[rule] +author = ["Elastic"] +building_block_type = "default" +description = """ +Detects a new private repo interaction for a GitHub PAT not seen in the last 14 days. +""" +from = "now-9m" +index = ["logs-github.audit-*"] +language = "kuery" +license = "Elastic License v2" +name = "First Occurrence of Private Repo Event from Specific GitHub Personal Access Token (PAT)" +risk_score = 21 +rule_id = "1e9b271c-8caa-4e20-aed8-e91e34de9283" +severity = "low" +tags = ["Domain: Cloud", + "Use Case: Threat Detection", + "Use Case: UEBA", + "Tactic: Execution", + "Rule Type: BBR", + "Data Source: Github" + ] +timestamp_override = "event.ingested" +type = "new_terms" + +query = ''' +event.dataset:"github.audit" and event.category:"configuration" and +github.repo:* and github.hashed_token:* and +github.programmatic_access_type:("OAuth access token" or "Fine-grained personal access token") and +github.repository_public:false +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1648" +name = "Serverless Execution" +reference = "https://attack.mitre.org/techniques/T1648/" + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + + +[rule.new_terms] +field = "new_terms_fields" +value = ["github.hashed_token", "github.repo"] + +[[rule.new_terms.history_window_start]] +field = "history_window_start" +value = "now-14d" diff --git a/rules_building_block/execution_github_new_repo_interaction_for_user.toml b/rules_building_block/execution_github_new_repo_interaction_for_user.toml new file mode 100644 index 00000000000..9f900204215 --- /dev/null +++ b/rules_building_block/execution_github_new_repo_interaction_for_user.toml @@ -0,0 +1,60 @@ +[metadata] +bypass_bbr_timing = true +creation_date = "2023/10/11" +integration = ["github"] +maturity = "production" +min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" +min_stack_version = "8.6.0" +updated_date = "2023/12/14" + +[rule] +author = ["Elastic"] +building_block_type = "default" +description = """ +Detects a new private repo interaction for a GitHub user not seen in the last 14 days. +""" +from = "now-9m" +index = ["logs-github.audit-*"] +language = "kuery" +license = "Elastic License v2" +name = "First Occurrence of GitHub User Interaction with Private Repo" +risk_score = 21 +rule_id = "01c49712-25bc-49d2-a27d-d7ce52f5dc49" +severity = "low" +tags = ["Domain: Cloud", + "Use Case: Threat Detection", + "Use Case: UEBA", + "Tactic: Execution", + "Rule Type: BBR", + "Data Source: Github" + ] +timestamp_override = "event.ingested" +type = "new_terms" + +query = ''' +event.dataset:"github.audit" and event.category:"configuration" and +github.repo:* and user.name:* and +github.repository_public:false +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1648" +name = "Serverless Execution" +reference = "https://attack.mitre.org/techniques/T1648/" + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + + +[rule.new_terms] +field = "new_terms_fields" +value = ["user.name", "github.repo"] + +[[rule.new_terms.history_window_start]] +field = "history_window_start" +value = "now-14d" diff --git a/rules_building_block/execution_github_repo_created.toml b/rules_building_block/execution_github_repo_created.toml new file mode 100644 index 00000000000..c10de1f2ea0 --- /dev/null +++ b/rules_building_block/execution_github_repo_created.toml @@ -0,0 +1,49 @@ +[metadata] +bypass_bbr_timing = true +creation_date = "2023/10/11" +integration = ["github"] +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/12/14" + +[rule] +author = ["Elastic"] +building_block_type = "default" +description = """ +A new GitHub repository was created. +""" +from = "now-9m" +index = ["logs-github.audit-*"] +language = "eql" +license = "Elastic License v2" +name = "GitHub Repo Created" +risk_score = 21 +rule_id = "6cea88e4-6ce2-4238-9981-a54c140d6336" +severity = "low" +tags = ["Domain: Cloud", + "Use Case: Threat Detection", + "Use Case: UEBA", + "Tactic: Execution", + "Rule Type: BBR", + "Data Source: Github" + ] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +configuration where event.dataset == "github.audit" and event.action == "repo.create" +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1648" +name = "Serverless Execution" +reference = "https://attack.mitre.org/techniques/T1648/" + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules_building_block/execution_github_repo_interaction_from_new_ip.toml b/rules_building_block/execution_github_repo_interaction_from_new_ip.toml new file mode 100644 index 00000000000..a9b685231e8 --- /dev/null +++ b/rules_building_block/execution_github_repo_interaction_from_new_ip.toml @@ -0,0 +1,60 @@ +[metadata] +creation_date = "2023/10/11" +integration = ["github"] +maturity = "production" +min_stack_comments = "New fields added to GitHub Integration" +min_stack_version = "8.8.0" +updated_date = "2023/12/14" +bypass_bbr_timing = true + +[rule] +author = ["Elastic"] +building_block_type = "default" +description = """ +Detects an interaction with a private GitHub repository from a new IP address not seen in the last 14 days. +""" +from = "now-9m" +index = ["logs-github.audit-*"] +language = "kuery" +license = "Elastic License v2" +name = "First Occurrence of GitHub Repo Interaction From a New IP" +risk_score = 21 +rule_id = "0294f105-d7af-4a02-ae90-35f56763ffa2" +severity = "low" +tags = ["Domain: Cloud", + "Use Case: Threat Detection", + "Use Case: UEBA", + "Tactic: Execution", + "Rule Type: BBR", + "Data Source: Github" + ] +timestamp_override = "event.ingested" +type = "new_terms" + +query = ''' +event.dataset:"github.audit" and event.category:"configuration" and +github.actor_ip:* and github.repo:* and +github.repository_public:false +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1648" +name = "Serverless Execution" +reference = "https://attack.mitre.org/techniques/T1648/" + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + + +[rule.new_terms] +field = "new_terms_fields" +value = ["github.repo", "github.actor_ip"] + +[[rule.new_terms.history_window_start]] +field = "history_window_start" +value = "now-14d" diff --git a/rules_building_block/impact_github_member_removed_from_organization.toml b/rules_building_block/impact_github_member_removed_from_organization.toml new file mode 100644 index 00000000000..ddffcc741d0 --- /dev/null +++ b/rules_building_block/impact_github_member_removed_from_organization.toml @@ -0,0 +1,49 @@ +[metadata] +creation_date = "2023/10/11" +integration = ["github"] +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/12/21" +bypass_bbr_timing = true + +[rule] +author = ["Elastic"] +building_block_type = "default" +description = """ +A member was removed or their invitation to join was removed from a GitHub Organization. +""" +from = "now-9m" +index = ["logs-github.audit-*"] +language = "eql" +license = "Elastic License v2" +name = "Member Removed From GitHub Organization" +risk_score = 21 +rule_id = "095b6a58-8f88-4b59-827c-ab584ad4e759" +severity = "low" +tags = ["Domain: Cloud", + "Use Case: Threat Detection", + "Use Case: UEBA", + "Tactic: Impact", + "Rule Type: BBR", + "Data Source: Github" + ] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +configuration where event.dataset == "github.audit" and event.action == "org.remove_member" +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1531" +name = "Account Access Removal" +reference = "https://attack.mitre.org/techniques/T1531/" + + +[rule.threat.tactic] +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" diff --git a/rules_building_block/impact_github_pat_access_revoked.toml b/rules_building_block/impact_github_pat_access_revoked.toml new file mode 100644 index 00000000000..aa9fc0e0c90 --- /dev/null +++ b/rules_building_block/impact_github_pat_access_revoked.toml @@ -0,0 +1,49 @@ +[metadata] +creation_date = "2023/10/11" +integration = ["github"] +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/12/14" +bypass_bbr_timing = true + +[rule] +author = ["Elastic"] +building_block_type = "default" +description = """ +Access to private GitHub organization resources was revoked for a PAT. +""" +from = "now-9m" +index = ["logs-github.audit-*"] +language = "eql" +license = "Elastic License v2" +name = "GitHub PAT Access Revoked" +risk_score = 21 +rule_id = "8a0fd93a-7df8-410d-8808-4cc5e340f2b9" +severity = "low" +tags = ["Domain: Cloud", + "Use Case: Threat Detection", + "Use Case: UEBA", + "Tactic: Impact", + "Rule Type: BBR", + "Data Source: Github" + ] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +configuration where event.dataset == "github.audit" and event.action == "personal_access_token.access_revoked" +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1531" +name = "Account Access Removal" +reference = "https://attack.mitre.org/techniques/T1531/" + + +[rule.threat.tactic] +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" diff --git a/rules_building_block/impact_github_user_blocked_from_organization.toml b/rules_building_block/impact_github_user_blocked_from_organization.toml new file mode 100644 index 00000000000..96daeacf88f --- /dev/null +++ b/rules_building_block/impact_github_user_blocked_from_organization.toml @@ -0,0 +1,49 @@ +[metadata] +creation_date = "2023/10/11" +integration = ["github"] +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/12/14" +bypass_bbr_timing = true + +[rule] +author = ["Elastic"] +building_block_type = "default" +description = """ +A GitHub user was blocked from access to an organization. +""" +from = "now-9m" +index = ["logs-github.audit-*"] +language = "eql" +license = "Elastic License v2" +name = "GitHub User Blocked From Organization" +risk_score = 21 +rule_id = "4030c951-448a-4017-a2da-ed60f6d14f4f" +severity = "low" +tags = ["Domain: Cloud", + "Use Case: Threat Detection", + "Use Case: UEBA", + "Tactic: Impact", + "Rule Type: BBR", + "Data Source: Github" + ] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +configuration where event.dataset == "github.audit" and event.action == "org.block_user" +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1531" +name = "Account Access Removal" +reference = "https://attack.mitre.org/techniques/T1531/" + + +[rule.threat.tactic] +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" diff --git a/rules_building_block/initial_access_github_new_ip_address_for_pat.toml b/rules_building_block/initial_access_github_new_ip_address_for_pat.toml new file mode 100644 index 00000000000..b1fa1b90d21 --- /dev/null +++ b/rules_building_block/initial_access_github_new_ip_address_for_pat.toml @@ -0,0 +1,62 @@ +[metadata] +creation_date = "2023/10/11" +integration = ["github"] +maturity = "production" +min_stack_comments = "New fields added to GitHub Integration" +min_stack_version = "8.8.0" +updated_date = "2023/12/14" +bypass_bbr_timing = true + +[rule] +author = ["Elastic"] +building_block_type = "default" +description = """ +Detects a new IP address used for a GitHub PAT not previously seen in the last 14 days. +""" +from = "now-9m" +index = ["logs-github.audit-*"] +language = "kuery" +license = "Elastic License v2" +name = "First Occurrence of IP Address For GitHub Personal Access Token (PAT)" +risk_score = 21 +rule_id = "fc909baa-fb34-4c46-9691-be276ef4234c" +severity = "low" +tags = ["Domain: Cloud", + "Use Case: Threat Detection", + "Use Case: UEBA", + "Tactic: Initial Access", + "Rule Type: BBR", + "Data Source: Github" + ] +timestamp_override = "event.ingested" +type = "new_terms" + +query = ''' +event.dataset:"github.audit" and event.category:"configuration" and +github.actor_ip:* and github.hashed_token:* and +github.programmatic_access_type:("OAuth access token" or "Fine-grained personal access token") +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" + +[rule.new_terms] +field = "new_terms_fields" +value = ["github.hashed_token", "github.actor_ip"] + +[[rule.new_terms.history_window_start]] +field = "history_window_start" +value = "now-14d" diff --git a/rules_building_block/initial_access_github_new_ip_address_for_user.toml b/rules_building_block/initial_access_github_new_ip_address_for_user.toml new file mode 100644 index 00000000000..38bb8adf040 --- /dev/null +++ b/rules_building_block/initial_access_github_new_ip_address_for_user.toml @@ -0,0 +1,61 @@ +[metadata] +creation_date = "2023/10/11" +integration = ["github"] +maturity = "production" +min_stack_comments = "New fields added to GitHub Integration" +min_stack_version = "8.8.0" +updated_date = "2023/12/14" +bypass_bbr_timing = true + +[rule] +author = ["Elastic"] +building_block_type = "default" +description = """ +Detects a new IP address used for a GitHub user not previously seen in the last 14 days. +""" +from = "now-9m" +index = ["logs-github.audit-*"] +language = "kuery" +license = "Elastic License v2" +name = "First Occurrence of IP Address For GitHub User" +risk_score = 21 +rule_id = "3af4cb9b-973f-4c54-be2b-7623c0e21b2b" +severity = "low" +tags = ["Domain: Cloud", + "Use Case: Threat Detection", + "Use Case: UEBA", + "Tactic: Initial Access", + "Rule Type: BBR", + "Data Source: Github" + ] +timestamp_override = "event.ingested" +type = "new_terms" + +query = ''' +event.dataset:"github.audit" and event.category:"configuration" and +github.actor_ip:* and user.name:* +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" + +[rule.new_terms] +field = "new_terms_fields" +value = ["user.name", "github.actor_ip"] + +[[rule.new_terms.history_window_start]] +field = "history_window_start" +value = "now-14d" diff --git a/rules_building_block/initial_access_github_new_user_agent_for_pat.toml b/rules_building_block/initial_access_github_new_user_agent_for_pat.toml new file mode 100644 index 00000000000..64308ff178a --- /dev/null +++ b/rules_building_block/initial_access_github_new_user_agent_for_pat.toml @@ -0,0 +1,62 @@ +[metadata] +creation_date = "2023/10/11" +integration = ["github"] +maturity = "production" +min_stack_comments = "New fields added to GitHub Integration" +min_stack_version = "8.8.0" +updated_date = "2023/12/14" +bypass_bbr_timing = true + +[rule] +author = ["Elastic"] +building_block_type = "default" +description = """ +Detects a new user agent used for a GitHub PAT not previously seen in the last 14 days. +""" +from = "now-9m" +index = ["logs-github.audit-*"] +language = "kuery" +license = "Elastic License v2" +name = "First Occurrence of User Agent For a GitHub Personal Access Token (PAT)" +risk_score = 21 +rule_id = "0e4367a0-a483-439d-ad2e-d90500b925fd" +severity = "low" +tags = ["Domain: Cloud", + "Use Case: Threat Detection", + "Use Case: UEBA", + "Tactic: Initial Access", + "Rule Type: BBR", + "Data Source: Github" + ] +timestamp_override = "event.ingested" +type = "new_terms" + +query = ''' +event.dataset:"github.audit" and event.category:"configuration" and +github.user_agent:* and github.hashed_token:* and +github.programmatic_access_type:("OAuth access token" or "Fine-grained personal access token") +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" + +[rule.new_terms] +field = "new_terms_fields" +value = ["github.hashed_token", "github.user_agent"] + +[[rule.new_terms.history_window_start]] +field = "history_window_start" +value = "now-14d" diff --git a/rules_building_block/initial_access_github_new_user_agent_for_user.toml b/rules_building_block/initial_access_github_new_user_agent_for_user.toml new file mode 100644 index 00000000000..7980a538de6 --- /dev/null +++ b/rules_building_block/initial_access_github_new_user_agent_for_user.toml @@ -0,0 +1,61 @@ +[metadata] +creation_date = "2023/10/11" +integration = ["github"] +maturity = "production" +min_stack_comments = "New fields added to GitHub Integration" +min_stack_version = "8.8.0" +updated_date = "2023/12/14" +bypass_bbr_timing = true + +[rule] +author = ["Elastic"] +building_block_type = "default" +description = """ +Detects a new user agent used for a GitHub user not previously seen in the last 14 days. +""" +from = "now-9m" +index = ["logs-github.audit-*"] +language = "kuery" +license = "Elastic License v2" +name = "First Occurrence of User-Agent For a GitHub User" +risk_score = 21 +rule_id = "41761cd3-380f-4d4d-89f3-46d6853ee35d" +severity = "low" +tags = ["Domain: Cloud", + "Use Case: Threat Detection", + "Use Case: UEBA", + "Tactic: Initial Access", + "Rule Type: BBR", + "Data Source: Github" + ] +timestamp_override = "event.ingested" +type = "new_terms" + +query = ''' +event.dataset:"github.audit" and event.category:"configuration" and +github.user_agent:* and user.name:* +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" + +[rule.new_terms] +field = "new_terms_fields" +value = ["user.name", "github.user_agent"] + +[[rule.new_terms.history_window_start]] +field = "history_window_start" +value = "now-14d" diff --git a/rules_building_block/persistence_github_new_pat_for_user.toml b/rules_building_block/persistence_github_new_pat_for_user.toml new file mode 100644 index 00000000000..cfef12dc021 --- /dev/null +++ b/rules_building_block/persistence_github_new_pat_for_user.toml @@ -0,0 +1,62 @@ +[metadata] +creation_date = "2023/10/11" +integration = ["github"] +maturity = "production" +min_stack_comments = "New fields added to GitHub Integration" +min_stack_version = "8.8.0" +updated_date = "2023/12/14" +bypass_bbr_timing = true + +[rule] +author = ["Elastic"] +building_block_type = "default" +description = """ +A new PAT was used for a GitHub user not previously seen in the last 14 days. +""" +from = "now-9m" +index = ["logs-github.audit-*"] +language = "kuery" +license = "Elastic License v2" +name = "First Occurrence of Personal Access Token (PAT) Use For a GitHub User" +risk_score = 21 +rule_id = "f94e898e-94f1-4545-8923-03e4b2866211" +severity = "low" +tags = ["Domain: Cloud", + "Use Case: Threat Detection", + "Use Case: UEBA", + "Tactic: Persistence", + "Rule Type: BBR", + "Data Source: Github" + ] +timestamp_override = "event.ingested" +type = "new_terms" + +query = ''' +event.dataset:"github.audit" and event.category:"configuration" and +github.hashed_token:* and user.name:* and +github.programmatic_access_type:("OAuth access token" or "Fine-grained personal access token") +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" +[[rule.threat.technique.subtechnique]] +id = "T1098.001" +name = "Additional Cloud Credentials" +reference = "https://attack.mitre.org/techniques/T1098/001/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + +[rule.new_terms] +field = "new_terms_fields" +value = ["user.name", "github.hashed_token"] + +[[rule.new_terms.history_window_start]] +field = "history_window_start" +value = "now-14d" diff --git a/rules_building_block/persistence_github_new_user_added_to_organization.toml b/rules_building_block/persistence_github_new_user_added_to_organization.toml new file mode 100644 index 00000000000..685fa8fbe53 --- /dev/null +++ b/rules_building_block/persistence_github_new_user_added_to_organization.toml @@ -0,0 +1,52 @@ +[metadata] +creation_date = "2023/10/11" +integration = ["github"] +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/12/21" +bypass_bbr_timing = true + +[rule] +author = ["Elastic"] +building_block_type = "default" +description = """ +A new user was added to a GitHub organization. +""" +from = "now-9m" +index = ["logs-github.audit-*"] +language = "eql" +license = "Elastic License v2" +name = "New User Added To GitHub Organization" +risk_score = 21 +rule_id = "61336fe6-c043-4743-ab6e-41292f439603" +severity = "low" +tags = ["Domain: Cloud", + "Use Case: Threat Detection", + "Use Case: UEBA", + "Tactic: Persistence", + "Rule Type: BBR", + "Data Source: Github" + ] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +configuration where event.dataset == "github.audit" and event.action == "org.add_member" +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" +[[rule.threat.technique.subtechnique]] +id = "T1098.001" +name = "Additional Cloud Credentials" +reference = "https://attack.mitre.org/techniques/T1098/001/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/"