-
Notifications
You must be signed in to change notification settings - Fork 514
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[New Rules] UEBA GItHub BBRs and Rules (#3174)
* [New Rules] UEBA GItHub BBRs and Rules A new set of BBRs and rules that will be used to trigger new UEBA GitHub threshold Rules. * Update rules/integrations/github/impact_github_member_removed_from_organization.toml * Apply suggestions from code review Co-authored-by: Ruben Groenewoud <[email protected]> * edited BBR rules -removed newly added member rule * updated integration manifests and schemas * Updated min_stack for some rules based on newest GitHub integration schema manifest * testing min_stack bump to 8.8 for new fields * removing offending rule to troubleshoot seperately * added UEBA tags and created UEBA threshold rule * updated non-ecs-schema to add signal.rule.tags * updated non-ecs-schema with kibana.alert.workflow_status * updated rule.threat.tactic * added user.name to non-ecs-schema * added quotes to kibana.alert.workflow_status value * removed trailing space from rule name * update tags and optimize query for UEBA threshold rule * removed integration field from Higher-Order rule * Apply suggestions from code review Co-authored-by: Terrance DeJesus <[email protected]> * adjusted new_terms order and rule types based on review feedback * Apply suggestions from code review Co-authored-by: Ruben Groenewoud <[email protected]> * remove user.name from detection_rules/etc/non-ecs-schema.json * fix json formatting --------- Co-authored-by: Ruben Groenewoud <[email protected]> Co-authored-by: Colson Wilhoit <[email protected]> Co-authored-by: Terrance DeJesus <[email protected]> Co-authored-by: Justin Ibarra <[email protected]> Co-authored-by: Mika Ayenson <[email protected]> (cherry picked from commit 4424358)
- Loading branch information
1 parent
f572a3c
commit ae6c38e
Showing
11 changed files
with
368 additions
and
7 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
45 changes: 45 additions & 0 deletions
45
rules/integrations/github/execution_github_app_deleted.toml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,45 @@ | ||
| [metadata] | ||
| creation_date = "2023/10/11" | ||
| integration = ["github"] | ||
| maturity = "production" | ||
| min_stack_comments = "New fields added: required_fields, related_integrations, setup" | ||
| min_stack_version = "8.3.0" | ||
| updated_date = "2023/10/11" | ||
|
|
||
| [rule] | ||
| author = ["Elastic"] | ||
| description = """ | ||
| Detects the deletion of a GitHub app either from a repo or an organization. | ||
| """ | ||
| from = "now-9m" | ||
| index = ["logs-github.audit-*"] | ||
| language = "eql" | ||
| license = "Elastic License v2" | ||
| name = "GitHub App Deleted" | ||
| risk_score = 21 | ||
| rule_id = "fd01b949-81be-46d5-bcf8-284395d5f56d" | ||
| severity = "low" | ||
| tags = ["Domain: Cloud", | ||
| "Use Case: Threat Detection", | ||
| "Tactic: Execution", | ||
| "Data Source: Github" | ||
| ] | ||
| timestamp_override = "event.ingested" | ||
| type = "eql" | ||
|
|
||
| query = ''' | ||
| configuration where event.dataset == "github.audit" and github.category == "integration_installation" and event.type == "deletion" | ||
| ''' | ||
|
|
||
| [[rule.threat]] | ||
| framework = "MITRE ATT&CK" | ||
| [[rule.threat.technique]] | ||
| id = "T1648" | ||
| name = "Serverless Execution" | ||
| reference = "https://attack.mitre.org/techniques/T1648/" | ||
|
|
||
|
|
||
| [rule.threat.tactic] | ||
| id = "TA0002" | ||
| name = "Execution" | ||
| reference = "https://attack.mitre.org/tactics/TA0002/" |
52 changes: 52 additions & 0 deletions
52
rules/integrations/github/execution_github_ueba_multiple_behavior_alerts_from_account.toml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,52 @@ | ||
| [metadata] | ||
| creation_date = "2023/12/14" | ||
| maturity = "production" | ||
| min_stack_comments = "New fields added: required_fields, related_integrations, setup" | ||
| min_stack_version = "8.3.0" | ||
| updated_date = "2023/12/18" | ||
|
|
||
| [rule] | ||
| author = ["Elastic"] | ||
| description = """ | ||
| This rule is part of the "GitHub UEBA - Unusual Activity from Account Pack", and leverages alert data to | ||
| determine when multiple alerts are executed by the same user in a timespan of one hour. | ||
| Analysts can use this to prioritize triage and response, as these alerts are a higher indicator of compromised user | ||
| accounts or PATs. | ||
| """ | ||
| from = "now-60m" | ||
| index = [".alerts-security.*"] | ||
| language = "kuery" | ||
| license = "Elastic License v2" | ||
| name = "GitHub UEBA - Multiple Alerts from a GitHub Account" | ||
| risk_score = 47 | ||
| rule_id = "929223b4-fba3-4a1c-a943-ec4716ad23ec" | ||
| severity = "medium" | ||
| tags = ["Domain: Cloud", | ||
| "Use Case: Threat Detection", | ||
| "Use Case: UEBA", | ||
| "Tactic: Execution", | ||
| "Rule Type: Higher-Order Rule", | ||
| "Data Source: Github" | ||
| ] | ||
| timestamp_override = "event.ingested" | ||
| type = "threshold" | ||
|
|
||
| query = ''' | ||
| signal.rule.tags:("Use Case: UEBA" and "Data Source: Github") and kibana.alert.workflow_status:"open" | ||
| ''' | ||
|
|
||
| [[rule.threat]] | ||
| framework = "MITRE ATT&CK" | ||
|
|
||
| [rule.threat.tactic] | ||
| id = "TA0002" | ||
| name = "Execution" | ||
| reference = "https://attack.mitre.org/tactics/TA0002/" | ||
|
|
||
| [rule.threshold] | ||
| field = ["user.name"] | ||
| value = 1 | ||
|
|
||
| [[rule.threshold.cardinality]] | ||
| field = "signal.rule.name" | ||
| value = 5 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,49 @@ | ||
| [metadata] | ||
| bypass_bbr_timing = true | ||
| creation_date = "2023/10/11" | ||
| integration = ["github"] | ||
| maturity = "production" | ||
| min_stack_comments = "New fields added: required_fields, related_integrations, setup" | ||
| min_stack_version = "8.3.0" | ||
| updated_date = "2023/12/14" | ||
|
|
||
| [rule] | ||
| author = ["Elastic"] | ||
| building_block_type = "default" | ||
| description = """ | ||
| A new GitHub repository was created. | ||
| """ | ||
| from = "now-9m" | ||
| index = ["logs-github.audit-*"] | ||
| language = "eql" | ||
| license = "Elastic License v2" | ||
| name = "GitHub Repo Created" | ||
| risk_score = 21 | ||
| rule_id = "6cea88e4-6ce2-4238-9981-a54c140d6336" | ||
| severity = "low" | ||
| tags = ["Domain: Cloud", | ||
| "Use Case: Threat Detection", | ||
| "Use Case: UEBA", | ||
| "Tactic: Execution", | ||
| "Rule Type: BBR", | ||
| "Data Source: Github" | ||
| ] | ||
| timestamp_override = "event.ingested" | ||
| type = "eql" | ||
|
|
||
| query = ''' | ||
| configuration where event.dataset == "github.audit" and event.action == "repo.create" | ||
| ''' | ||
|
|
||
| [[rule.threat]] | ||
| framework = "MITRE ATT&CK" | ||
| [[rule.threat.technique]] | ||
| id = "T1648" | ||
| name = "Serverless Execution" | ||
| reference = "https://attack.mitre.org/techniques/T1648/" | ||
|
|
||
|
|
||
| [rule.threat.tactic] | ||
| id = "TA0002" | ||
| name = "Execution" | ||
| reference = "https://attack.mitre.org/tactics/TA0002/" |
49 changes: 49 additions & 0 deletions
49
rules_building_block/impact_github_member_removed_from_organization.toml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,49 @@ | ||
| [metadata] | ||
| creation_date = "2023/10/11" | ||
| integration = ["github"] | ||
| maturity = "production" | ||
| min_stack_comments = "New fields added: required_fields, related_integrations, setup" | ||
| min_stack_version = "8.3.0" | ||
| updated_date = "2023/12/21" | ||
| bypass_bbr_timing = true | ||
|
|
||
| [rule] | ||
| author = ["Elastic"] | ||
| building_block_type = "default" | ||
| description = """ | ||
| A member was removed or their invitation to join was removed from a GitHub Organization. | ||
| """ | ||
| from = "now-9m" | ||
| index = ["logs-github.audit-*"] | ||
| language = "eql" | ||
| license = "Elastic License v2" | ||
| name = "Member Removed From GitHub Organization" | ||
| risk_score = 21 | ||
| rule_id = "095b6a58-8f88-4b59-827c-ab584ad4e759" | ||
| severity = "low" | ||
| tags = ["Domain: Cloud", | ||
| "Use Case: Threat Detection", | ||
| "Use Case: UEBA", | ||
| "Tactic: Impact", | ||
| "Rule Type: BBR", | ||
| "Data Source: Github" | ||
| ] | ||
| timestamp_override = "event.ingested" | ||
| type = "eql" | ||
|
|
||
| query = ''' | ||
| configuration where event.dataset == "github.audit" and event.action == "org.remove_member" | ||
| ''' | ||
|
|
||
| [[rule.threat]] | ||
| framework = "MITRE ATT&CK" | ||
| [[rule.threat.technique]] | ||
| id = "T1531" | ||
| name = "Account Access Removal" | ||
| reference = "https://attack.mitre.org/techniques/T1531/" | ||
|
|
||
|
|
||
| [rule.threat.tactic] | ||
| id = "TA0040" | ||
| name = "Impact" | ||
| reference = "https://attack.mitre.org/tactics/TA0040/" |
49 changes: 49 additions & 0 deletions
49
rules_building_block/impact_github_pat_access_revoked.toml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,49 @@ | ||
| [metadata] | ||
| creation_date = "2023/10/11" | ||
| integration = ["github"] | ||
| maturity = "production" | ||
| min_stack_comments = "New fields added: required_fields, related_integrations, setup" | ||
| min_stack_version = "8.3.0" | ||
| updated_date = "2023/12/14" | ||
| bypass_bbr_timing = true | ||
|
|
||
| [rule] | ||
| author = ["Elastic"] | ||
| building_block_type = "default" | ||
| description = """ | ||
| Access to private GitHub organization resources was revoked for a PAT. | ||
| """ | ||
| from = "now-9m" | ||
| index = ["logs-github.audit-*"] | ||
| language = "eql" | ||
| license = "Elastic License v2" | ||
| name = "GitHub PAT Access Revoked" | ||
| risk_score = 21 | ||
| rule_id = "8a0fd93a-7df8-410d-8808-4cc5e340f2b9" | ||
| severity = "low" | ||
| tags = ["Domain: Cloud", | ||
| "Use Case: Threat Detection", | ||
| "Use Case: UEBA", | ||
| "Tactic: Impact", | ||
| "Rule Type: BBR", | ||
| "Data Source: Github" | ||
| ] | ||
| timestamp_override = "event.ingested" | ||
| type = "eql" | ||
|
|
||
| query = ''' | ||
| configuration where event.dataset == "github.audit" and event.action == "personal_access_token.access_revoked" | ||
| ''' | ||
|
|
||
| [[rule.threat]] | ||
| framework = "MITRE ATT&CK" | ||
| [[rule.threat.technique]] | ||
| id = "T1531" | ||
| name = "Account Access Removal" | ||
| reference = "https://attack.mitre.org/techniques/T1531/" | ||
|
|
||
|
|
||
| [rule.threat.tactic] | ||
| id = "TA0040" | ||
| name = "Impact" | ||
| reference = "https://attack.mitre.org/tactics/TA0040/" |
49 changes: 49 additions & 0 deletions
49
rules_building_block/impact_github_user_blocked_from_organization.toml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,49 @@ | ||
| [metadata] | ||
| creation_date = "2023/10/11" | ||
| integration = ["github"] | ||
| maturity = "production" | ||
| min_stack_comments = "New fields added: required_fields, related_integrations, setup" | ||
| min_stack_version = "8.3.0" | ||
| updated_date = "2023/12/14" | ||
| bypass_bbr_timing = true | ||
|
|
||
| [rule] | ||
| author = ["Elastic"] | ||
| building_block_type = "default" | ||
| description = """ | ||
| A GitHub user was blocked from access to an organization. | ||
| """ | ||
| from = "now-9m" | ||
| index = ["logs-github.audit-*"] | ||
| language = "eql" | ||
| license = "Elastic License v2" | ||
| name = "GitHub User Blocked From Organization" | ||
| risk_score = 21 | ||
| rule_id = "4030c951-448a-4017-a2da-ed60f6d14f4f" | ||
| severity = "low" | ||
| tags = ["Domain: Cloud", | ||
| "Use Case: Threat Detection", | ||
| "Use Case: UEBA", | ||
| "Tactic: Impact", | ||
| "Rule Type: BBR", | ||
| "Data Source: Github" | ||
| ] | ||
| timestamp_override = "event.ingested" | ||
| type = "eql" | ||
|
|
||
| query = ''' | ||
| configuration where event.dataset == "github.audit" and event.action == "org.block_user" | ||
| ''' | ||
|
|
||
| [[rule.threat]] | ||
| framework = "MITRE ATT&CK" | ||
| [[rule.threat.technique]] | ||
| id = "T1531" | ||
| name = "Account Access Removal" | ||
| reference = "https://attack.mitre.org/techniques/T1531/" | ||
|
|
||
|
|
||
| [rule.threat.tactic] | ||
| id = "TA0040" | ||
| name = "Impact" | ||
| reference = "https://attack.mitre.org/tactics/TA0040/" |
Oops, something went wrong.