From aadca807d74b576cf876fd0b248e936ed16d8bba Mon Sep 17 00:00:00 2001 From: Isai <59296946+imays11@users.noreply.github.com> Date: Mon, 22 Jan 2024 12:48:31 -0500 Subject: [PATCH] [New Rules] UEBA GItHub BBRs and Rules (#3174) * [New Rules] UEBA GItHub BBRs and Rules A new set of BBRs and rules that will be used to trigger new UEBA GitHub threshold Rules. * Update rules/integrations/github/impact_github_member_removed_from_organization.toml * Apply suggestions from code review Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> * edited BBR rules -removed newly added member rule * updated integration manifests and schemas * Updated min_stack for some rules based on newest GitHub integration schema manifest * testing min_stack bump to 8.8 for new fields * removing offending rule to troubleshoot seperately * added UEBA tags and created UEBA threshold rule * updated non-ecs-schema to add signal.rule.tags * updated non-ecs-schema with kibana.alert.workflow_status * updated rule.threat.tactic * added user.name to non-ecs-schema * added quotes to kibana.alert.workflow_status value * removed trailing space from rule name * update tags and optimize query for UEBA threshold rule * removed integration field from Higher-Order rule * Apply suggestions from code review Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> * adjusted new_terms order and rule types based on review feedback * Apply suggestions from code review Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> * remove user.name from detection_rules/etc/non-ecs-schema.json * fix json formatting --------- Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> Co-authored-by: Mika Ayenson (cherry picked from commit 442435830f9558bea94fd3b706e3280216bf013f) --- detection_rules/etc/non-ecs-schema.json | 2 + .../github/execution_github_app_deleted.toml | 45 ++++++++++++++ ...multiple_behavior_alerts_from_account.toml | 52 ++++++++++++++++ .../impact_github_repository_deleted.toml | 10 +++- .../persistence_github_org_owner_added.toml | 9 ++- ...tence_organization_owner_role_granted.toml | 9 ++- ..._github_new_repo_interaction_for_user.toml | 60 +++++++++++++++++++ .../execution_github_repo_created.toml | 49 +++++++++++++++ ...thub_member_removed_from_organization.toml | 49 +++++++++++++++ .../impact_github_pat_access_revoked.toml | 49 +++++++++++++++ ...github_user_blocked_from_organization.toml | 49 +++++++++++++++ ...github_new_user_added_to_organization.toml | 52 ++++++++++++++++ 12 files changed, 428 insertions(+), 7 deletions(-) create mode 100644 rules/integrations/github/execution_github_app_deleted.toml create mode 100644 rules/integrations/github/execution_github_ueba_multiple_behavior_alerts_from_account.toml create mode 100644 rules_building_block/execution_github_new_repo_interaction_for_user.toml create mode 100644 rules_building_block/execution_github_repo_created.toml create mode 100644 rules_building_block/impact_github_member_removed_from_organization.toml create mode 100644 rules_building_block/impact_github_pat_access_revoked.toml create mode 100644 rules_building_block/impact_github_user_blocked_from_organization.toml create mode 100644 rules_building_block/persistence_github_new_user_added_to_organization.toml diff --git a/detection_rules/etc/non-ecs-schema.json b/detection_rules/etc/non-ecs-schema.json index fb4f8952bc1..f060727e691 100644 --- a/detection_rules/etc/non-ecs-schema.json +++ b/detection_rules/etc/non-ecs-schema.json @@ -115,8 +115,10 @@ }, ".alerts-security.*": { "signal.rule.name": "keyword", + "signal.rule.tags": "keyword", "signal.rule.threat.tactic.name": "keyword", "kibana.alert.rule.threat.tactic.id": "keyword", + "kibana.alert.workflow_status": "keyword", "kibana.alert.rule.rule_id": "keyword" }, "logs-google_workspace*": { diff --git a/rules/integrations/github/execution_github_app_deleted.toml b/rules/integrations/github/execution_github_app_deleted.toml new file mode 100644 index 00000000000..891c181759a --- /dev/null +++ b/rules/integrations/github/execution_github_app_deleted.toml @@ -0,0 +1,45 @@ +[metadata] +creation_date = "2023/10/11" +integration = ["github"] +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/10/11" + +[rule] +author = ["Elastic"] +description = """ +Detects the deletion of a GitHub app either from a repo or an organization. +""" +from = "now-9m" +index = ["logs-github.audit-*"] +language = "eql" +license = "Elastic License v2" +name = "GitHub App Deleted" +risk_score = 21 +rule_id = "fd01b949-81be-46d5-bcf8-284395d5f56d" +severity = "low" +tags = ["Domain: Cloud", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Github" + ] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +configuration where event.dataset == "github.audit" and github.category == "integration_installation" and event.type == "deletion" +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1648" +name = "Serverless Execution" +reference = "https://attack.mitre.org/techniques/T1648/" + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules/integrations/github/execution_github_ueba_multiple_behavior_alerts_from_account.toml b/rules/integrations/github/execution_github_ueba_multiple_behavior_alerts_from_account.toml new file mode 100644 index 00000000000..2908f7b3e87 --- /dev/null +++ b/rules/integrations/github/execution_github_ueba_multiple_behavior_alerts_from_account.toml @@ -0,0 +1,52 @@ +[metadata] +creation_date = "2023/12/14" +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/12/18" + +[rule] +author = ["Elastic"] +description = """ +This rule is part of the "GitHub UEBA - Unusual Activity from Account Pack", and leverages alert data to +determine when multiple alerts are executed by the same user in a timespan of one hour. +Analysts can use this to prioritize triage and response, as these alerts are a higher indicator of compromised user +accounts or PATs. +""" +from = "now-60m" +index = [".alerts-security.*"] +language = "kuery" +license = "Elastic License v2" +name = "GitHub UEBA - Multiple Alerts from a GitHub Account" +risk_score = 47 +rule_id = "929223b4-fba3-4a1c-a943-ec4716ad23ec" +severity = "medium" +tags = ["Domain: Cloud", + "Use Case: Threat Detection", + "Use Case: UEBA", + "Tactic: Execution", + "Rule Type: Higher-Order Rule", + "Data Source: Github" + ] +timestamp_override = "event.ingested" +type = "threshold" + +query = ''' +signal.rule.tags:("Use Case: UEBA" and "Data Source: Github") and kibana.alert.workflow_status:"open" +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + +[rule.threshold] +field = ["user.name"] +value = 1 + +[[rule.threshold.cardinality]] +field = "signal.rule.name" +value = 5 diff --git a/rules/integrations/github/impact_github_repository_deleted.toml b/rules/integrations/github/impact_github_repository_deleted.toml index a3193318ce2..9eebd68aea8 100644 --- a/rules/integrations/github/impact_github_repository_deleted.toml +++ b/rules/integrations/github/impact_github_repository_deleted.toml @@ -4,7 +4,7 @@ integration = ["github"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/08/29" +updated_date = "2023/12/14" [rule] author = ["Elastic"] @@ -24,7 +24,12 @@ name = "GitHub Repository Deleted" risk_score = 47 rule_id = "345889c4-23a8-4bc0-b7ca-756bd17ce83b" severity = "medium" -tags = ["Domain: Cloud", "Use Case: Threat Detection", "Tactic: Impact", "Data Source: Github"] +tags = ["Domain: Cloud", + "Use Case: Threat Detection", + "Use Case: UEBA", + "Tactic: Impact", + "Data Source: Github" + ] timestamp_override = "event.ingested" type = "eql" query = ''' @@ -44,4 +49,3 @@ reference = "https://attack.mitre.org/techniques/T1485/" id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" - diff --git a/rules/integrations/github/persistence_github_org_owner_added.toml b/rules/integrations/github/persistence_github_org_owner_added.toml index 3fd492d96b3..7fd963c9fe6 100644 --- a/rules/integrations/github/persistence_github_org_owner_added.toml +++ b/rules/integrations/github/persistence_github_org_owner_added.toml @@ -4,7 +4,7 @@ integration = ["github"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/09/11" +updated_date = "2023/12/14" [rule] author = ["Elastic"] @@ -21,7 +21,12 @@ name = "New GitHub Owner Added" risk_score = 47 rule_id = "24401eca-ad0b-4ff9-9431-487a8e183af9" severity = "medium" -tags = ["Domain: Cloud", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Github"] +tags = ["Domain: Cloud", + "Use Case: Threat Detection", + "Use Case: UEBA", + "Tactic: Persistence", + "Data Source: Github" + ] timestamp_override = "event.ingested" type = "eql" query = ''' diff --git a/rules/integrations/github/persistence_organization_owner_role_granted.toml b/rules/integrations/github/persistence_organization_owner_role_granted.toml index 0d757fe43f0..08adb684912 100644 --- a/rules/integrations/github/persistence_organization_owner_role_granted.toml +++ b/rules/integrations/github/persistence_organization_owner_role_granted.toml @@ -4,7 +4,7 @@ integration = ["github"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/09/11" +updated_date = "2023/12/14" [rule] author = ["Elastic"] @@ -21,7 +21,12 @@ name = "GitHub Owner Role Granted To User" risk_score = 47 rule_id = "9b343b62-d173-4cfd-bd8b-e6379f964ca4" severity = "medium" -tags = ["Domain: Cloud", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Github"] +tags = ["Domain: Cloud", + "Use Case: Threat Detection", + "Use Case: UEBA", + "Tactic: Persistence", + "Data Source: Github" + ] timestamp_override = "event.ingested" type = "eql" query = ''' diff --git a/rules_building_block/execution_github_new_repo_interaction_for_user.toml b/rules_building_block/execution_github_new_repo_interaction_for_user.toml new file mode 100644 index 00000000000..9f900204215 --- /dev/null +++ b/rules_building_block/execution_github_new_repo_interaction_for_user.toml @@ -0,0 +1,60 @@ +[metadata] +bypass_bbr_timing = true +creation_date = "2023/10/11" +integration = ["github"] +maturity = "production" +min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" +min_stack_version = "8.6.0" +updated_date = "2023/12/14" + +[rule] +author = ["Elastic"] +building_block_type = "default" +description = """ +Detects a new private repo interaction for a GitHub user not seen in the last 14 days. +""" +from = "now-9m" +index = ["logs-github.audit-*"] +language = "kuery" +license = "Elastic License v2" +name = "First Occurrence of GitHub User Interaction with Private Repo" +risk_score = 21 +rule_id = "01c49712-25bc-49d2-a27d-d7ce52f5dc49" +severity = "low" +tags = ["Domain: Cloud", + "Use Case: Threat Detection", + "Use Case: UEBA", + "Tactic: Execution", + "Rule Type: BBR", + "Data Source: Github" + ] +timestamp_override = "event.ingested" +type = "new_terms" + +query = ''' +event.dataset:"github.audit" and event.category:"configuration" and +github.repo:* and user.name:* and +github.repository_public:false +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1648" +name = "Serverless Execution" +reference = "https://attack.mitre.org/techniques/T1648/" + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + + +[rule.new_terms] +field = "new_terms_fields" +value = ["user.name", "github.repo"] + +[[rule.new_terms.history_window_start]] +field = "history_window_start" +value = "now-14d" diff --git a/rules_building_block/execution_github_repo_created.toml b/rules_building_block/execution_github_repo_created.toml new file mode 100644 index 00000000000..c10de1f2ea0 --- /dev/null +++ b/rules_building_block/execution_github_repo_created.toml @@ -0,0 +1,49 @@ +[metadata] +bypass_bbr_timing = true +creation_date = "2023/10/11" +integration = ["github"] +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/12/14" + +[rule] +author = ["Elastic"] +building_block_type = "default" +description = """ +A new GitHub repository was created. +""" +from = "now-9m" +index = ["logs-github.audit-*"] +language = "eql" +license = "Elastic License v2" +name = "GitHub Repo Created" +risk_score = 21 +rule_id = "6cea88e4-6ce2-4238-9981-a54c140d6336" +severity = "low" +tags = ["Domain: Cloud", + "Use Case: Threat Detection", + "Use Case: UEBA", + "Tactic: Execution", + "Rule Type: BBR", + "Data Source: Github" + ] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +configuration where event.dataset == "github.audit" and event.action == "repo.create" +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1648" +name = "Serverless Execution" +reference = "https://attack.mitre.org/techniques/T1648/" + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" diff --git a/rules_building_block/impact_github_member_removed_from_organization.toml b/rules_building_block/impact_github_member_removed_from_organization.toml new file mode 100644 index 00000000000..ddffcc741d0 --- /dev/null +++ b/rules_building_block/impact_github_member_removed_from_organization.toml @@ -0,0 +1,49 @@ +[metadata] +creation_date = "2023/10/11" +integration = ["github"] +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/12/21" +bypass_bbr_timing = true + +[rule] +author = ["Elastic"] +building_block_type = "default" +description = """ +A member was removed or their invitation to join was removed from a GitHub Organization. +""" +from = "now-9m" +index = ["logs-github.audit-*"] +language = "eql" +license = "Elastic License v2" +name = "Member Removed From GitHub Organization" +risk_score = 21 +rule_id = "095b6a58-8f88-4b59-827c-ab584ad4e759" +severity = "low" +tags = ["Domain: Cloud", + "Use Case: Threat Detection", + "Use Case: UEBA", + "Tactic: Impact", + "Rule Type: BBR", + "Data Source: Github" + ] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +configuration where event.dataset == "github.audit" and event.action == "org.remove_member" +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1531" +name = "Account Access Removal" +reference = "https://attack.mitre.org/techniques/T1531/" + + +[rule.threat.tactic] +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" diff --git a/rules_building_block/impact_github_pat_access_revoked.toml b/rules_building_block/impact_github_pat_access_revoked.toml new file mode 100644 index 00000000000..aa9fc0e0c90 --- /dev/null +++ b/rules_building_block/impact_github_pat_access_revoked.toml @@ -0,0 +1,49 @@ +[metadata] +creation_date = "2023/10/11" +integration = ["github"] +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/12/14" +bypass_bbr_timing = true + +[rule] +author = ["Elastic"] +building_block_type = "default" +description = """ +Access to private GitHub organization resources was revoked for a PAT. +""" +from = "now-9m" +index = ["logs-github.audit-*"] +language = "eql" +license = "Elastic License v2" +name = "GitHub PAT Access Revoked" +risk_score = 21 +rule_id = "8a0fd93a-7df8-410d-8808-4cc5e340f2b9" +severity = "low" +tags = ["Domain: Cloud", + "Use Case: Threat Detection", + "Use Case: UEBA", + "Tactic: Impact", + "Rule Type: BBR", + "Data Source: Github" + ] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +configuration where event.dataset == "github.audit" and event.action == "personal_access_token.access_revoked" +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1531" +name = "Account Access Removal" +reference = "https://attack.mitre.org/techniques/T1531/" + + +[rule.threat.tactic] +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" diff --git a/rules_building_block/impact_github_user_blocked_from_organization.toml b/rules_building_block/impact_github_user_blocked_from_organization.toml new file mode 100644 index 00000000000..96daeacf88f --- /dev/null +++ b/rules_building_block/impact_github_user_blocked_from_organization.toml @@ -0,0 +1,49 @@ +[metadata] +creation_date = "2023/10/11" +integration = ["github"] +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/12/14" +bypass_bbr_timing = true + +[rule] +author = ["Elastic"] +building_block_type = "default" +description = """ +A GitHub user was blocked from access to an organization. +""" +from = "now-9m" +index = ["logs-github.audit-*"] +language = "eql" +license = "Elastic License v2" +name = "GitHub User Blocked From Organization" +risk_score = 21 +rule_id = "4030c951-448a-4017-a2da-ed60f6d14f4f" +severity = "low" +tags = ["Domain: Cloud", + "Use Case: Threat Detection", + "Use Case: UEBA", + "Tactic: Impact", + "Rule Type: BBR", + "Data Source: Github" + ] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +configuration where event.dataset == "github.audit" and event.action == "org.block_user" +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1531" +name = "Account Access Removal" +reference = "https://attack.mitre.org/techniques/T1531/" + + +[rule.threat.tactic] +id = "TA0040" +name = "Impact" +reference = "https://attack.mitre.org/tactics/TA0040/" diff --git a/rules_building_block/persistence_github_new_user_added_to_organization.toml b/rules_building_block/persistence_github_new_user_added_to_organization.toml new file mode 100644 index 00000000000..685fa8fbe53 --- /dev/null +++ b/rules_building_block/persistence_github_new_user_added_to_organization.toml @@ -0,0 +1,52 @@ +[metadata] +creation_date = "2023/10/11" +integration = ["github"] +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/12/21" +bypass_bbr_timing = true + +[rule] +author = ["Elastic"] +building_block_type = "default" +description = """ +A new user was added to a GitHub organization. +""" +from = "now-9m" +index = ["logs-github.audit-*"] +language = "eql" +license = "Elastic License v2" +name = "New User Added To GitHub Organization" +risk_score = 21 +rule_id = "61336fe6-c043-4743-ab6e-41292f439603" +severity = "low" +tags = ["Domain: Cloud", + "Use Case: Threat Detection", + "Use Case: UEBA", + "Tactic: Persistence", + "Rule Type: BBR", + "Data Source: Github" + ] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +configuration where event.dataset == "github.audit" and event.action == "org.add_member" +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" +[[rule.threat.technique.subtechnique]] +id = "T1098.001" +name = "Additional Cloud Credentials" +reference = "https://attack.mitre.org/techniques/T1098/001/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/"