[New Rules] UEBA GItHub BBRs and Rules #3174
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
A new set of BBRs and rules that will be used to trigger new UEBA GitHub threshold Rules.
imays11
added
Rule: New
imays11
requested review from
w0rk3r,
DefSecSentinel,
Aegrah,
shashank-elastic and
terrancedejesus
Aegrah
reviewed
Oct 17, 2023
rules/integrations/github/impact_github_member_removed_from_organization.toml
Outdated
Show resolved
Hide resolved
Aegrah
reviewed
Oct 17, 2023
rules_building_block/execution_github_high_number_of_cloned_repos_from_pat.toml
Outdated
Show resolved
Hide resolved
rules_building_block/execution_github_high_number_of_cloned_repos_from_pat.toml
Outdated
Show resolved
Hide resolved
rules_building_block/execution_github_new_application_interaction_for_pat.toml
Outdated
Show resolved
Hide resolved
rules_building_block/execution_github_new_application_interaction_for_pat.toml
Outdated
Show resolved
Hide resolved
rules_building_block/initial_access_github_new_ip_address_for_pat.toml
Outdated
Show resolved
Hide resolved
rules_building_block/initial_access_github_new_ip_address_for_user.toml
Outdated
Show resolved
Hide resolved
rules_building_block/initial_access_github_new_user_agent_for_pat.toml
Outdated
Show resolved
Hide resolved
rules_building_block/initial_access_github_new_user_agent_for_user.toml
Outdated
Show resolved
Hide resolved
Co-authored-by: Ruben Groenewoud <[email protected]>
-removed newly added member rule
…ion-rules into github_ueba_rules
Co-authored-by: Ruben Groenewoud <[email protected]>
Mikaayenson
reviewed
Jan 17, 2024
imays11
commented
Jan 17, 2024
Mikaayenson
approved these changes
Jan 22, 2024
protectionsmachine
pushed a commit
that referenced
this pull request
Jan 22, 2024
* [New Rules] UEBA GItHub BBRs and Rules A new set of BBRs and rules that will be used to trigger new UEBA GitHub threshold Rules. * Update rules/integrations/github/impact_github_member_removed_from_organization.toml * Apply suggestions from code review Co-authored-by: Ruben Groenewoud <[email protected]> * edited BBR rules -removed newly added member rule * updated integration manifests and schemas * Updated min_stack for some rules based on newest GitHub integration schema manifest * testing min_stack bump to 8.8 for new fields * removing offending rule to troubleshoot seperately * added UEBA tags and created UEBA threshold rule * updated non-ecs-schema to add signal.rule.tags * updated non-ecs-schema with kibana.alert.workflow_status * updated rule.threat.tactic * added user.name to non-ecs-schema * added quotes to kibana.alert.workflow_status value * removed trailing space from rule name * update tags and optimize query for UEBA threshold rule * removed integration field from Higher-Order rule * Apply suggestions from code review Co-authored-by: Terrance DeJesus <[email protected]> * adjusted new_terms order and rule types based on review feedback * Apply suggestions from code review Co-authored-by: Ruben Groenewoud <[email protected]> * remove user.name from detection_rules/etc/non-ecs-schema.json * fix json formatting --------- Co-authored-by: Ruben Groenewoud <[email protected]> Co-authored-by: Colson Wilhoit <[email protected]> Co-authored-by: Terrance DeJesus <[email protected]> Co-authored-by: Justin Ibarra <[email protected]> Co-authored-by: Mika Ayenson <[email protected]> (cherry picked from commit 4424358)
protectionsmachine
pushed a commit
that referenced
this pull request
Jan 22, 2024
* [New Rules] UEBA GItHub BBRs and Rules A new set of BBRs and rules that will be used to trigger new UEBA GitHub threshold Rules. * Update rules/integrations/github/impact_github_member_removed_from_organization.toml * Apply suggestions from code review Co-authored-by: Ruben Groenewoud <[email protected]> * edited BBR rules -removed newly added member rule * updated integration manifests and schemas * Updated min_stack for some rules based on newest GitHub integration schema manifest * testing min_stack bump to 8.8 for new fields * removing offending rule to troubleshoot seperately * added UEBA tags and created UEBA threshold rule * updated non-ecs-schema to add signal.rule.tags * updated non-ecs-schema with kibana.alert.workflow_status * updated rule.threat.tactic * added user.name to non-ecs-schema * added quotes to kibana.alert.workflow_status value * removed trailing space from rule name * update tags and optimize query for UEBA threshold rule * removed integration field from Higher-Order rule * Apply suggestions from code review Co-authored-by: Terrance DeJesus <[email protected]> * adjusted new_terms order and rule types based on review feedback * Apply suggestions from code review Co-authored-by: Ruben Groenewoud <[email protected]> * remove user.name from detection_rules/etc/non-ecs-schema.json * fix json formatting --------- Co-authored-by: Ruben Groenewoud <[email protected]> Co-authored-by: Colson Wilhoit <[email protected]> Co-authored-by: Terrance DeJesus <[email protected]> Co-authored-by: Justin Ibarra <[email protected]> Co-authored-by: Mika Ayenson <[email protected]> (cherry picked from commit 4424358)
protectionsmachine
pushed a commit
that referenced
this pull request
Jan 22, 2024
* [New Rules] UEBA GItHub BBRs and Rules A new set of BBRs and rules that will be used to trigger new UEBA GitHub threshold Rules. * Update rules/integrations/github/impact_github_member_removed_from_organization.toml * Apply suggestions from code review Co-authored-by: Ruben Groenewoud <[email protected]> * edited BBR rules -removed newly added member rule * updated integration manifests and schemas * Updated min_stack for some rules based on newest GitHub integration schema manifest * testing min_stack bump to 8.8 for new fields * removing offending rule to troubleshoot seperately * added UEBA tags and created UEBA threshold rule * updated non-ecs-schema to add signal.rule.tags * updated non-ecs-schema with kibana.alert.workflow_status * updated rule.threat.tactic * added user.name to non-ecs-schema * added quotes to kibana.alert.workflow_status value * removed trailing space from rule name * update tags and optimize query for UEBA threshold rule * removed integration field from Higher-Order rule * Apply suggestions from code review Co-authored-by: Terrance DeJesus <[email protected]> * adjusted new_terms order and rule types based on review feedback * Apply suggestions from code review Co-authored-by: Ruben Groenewoud <[email protected]> * remove user.name from detection_rules/etc/non-ecs-schema.json * fix json formatting --------- Co-authored-by: Ruben Groenewoud <[email protected]> Co-authored-by: Colson Wilhoit <[email protected]> Co-authored-by: Terrance DeJesus <[email protected]> Co-authored-by: Justin Ibarra <[email protected]> Co-authored-by: Mika Ayenson <[email protected]> (cherry picked from commit 4424358)
protectionsmachine
pushed a commit
that referenced
this pull request
Jan 22, 2024
* [New Rules] UEBA GItHub BBRs and Rules A new set of BBRs and rules that will be used to trigger new UEBA GitHub threshold Rules. * Update rules/integrations/github/impact_github_member_removed_from_organization.toml * Apply suggestions from code review Co-authored-by: Ruben Groenewoud <[email protected]> * edited BBR rules -removed newly added member rule * updated integration manifests and schemas * Updated min_stack for some rules based on newest GitHub integration schema manifest * testing min_stack bump to 8.8 for new fields * removing offending rule to troubleshoot seperately * added UEBA tags and created UEBA threshold rule * updated non-ecs-schema to add signal.rule.tags * updated non-ecs-schema with kibana.alert.workflow_status * updated rule.threat.tactic * added user.name to non-ecs-schema * added quotes to kibana.alert.workflow_status value * removed trailing space from rule name * update tags and optimize query for UEBA threshold rule * removed integration field from Higher-Order rule * Apply suggestions from code review Co-authored-by: Terrance DeJesus <[email protected]> * adjusted new_terms order and rule types based on review feedback * Apply suggestions from code review Co-authored-by: Ruben Groenewoud <[email protected]> * remove user.name from detection_rules/etc/non-ecs-schema.json * fix json formatting --------- Co-authored-by: Ruben Groenewoud <[email protected]> Co-authored-by: Colson Wilhoit <[email protected]> Co-authored-by: Terrance DeJesus <[email protected]> Co-authored-by: Justin Ibarra <[email protected]> Co-authored-by: Mika Ayenson <[email protected]> (cherry picked from commit 4424358)
protectionsmachine
pushed a commit
that referenced
this pull request
Jan 22, 2024
* [New Rules] UEBA GItHub BBRs and Rules A new set of BBRs and rules that will be used to trigger new UEBA GitHub threshold Rules. * Update rules/integrations/github/impact_github_member_removed_from_organization.toml * Apply suggestions from code review Co-authored-by: Ruben Groenewoud <[email protected]> * edited BBR rules -removed newly added member rule * updated integration manifests and schemas * Updated min_stack for some rules based on newest GitHub integration schema manifest * testing min_stack bump to 8.8 for new fields * removing offending rule to troubleshoot seperately * added UEBA tags and created UEBA threshold rule * updated non-ecs-schema to add signal.rule.tags * updated non-ecs-schema with kibana.alert.workflow_status * updated rule.threat.tactic * added user.name to non-ecs-schema * added quotes to kibana.alert.workflow_status value * removed trailing space from rule name * update tags and optimize query for UEBA threshold rule * removed integration field from Higher-Order rule * Apply suggestions from code review Co-authored-by: Terrance DeJesus <[email protected]> * adjusted new_terms order and rule types based on review feedback * Apply suggestions from code review Co-authored-by: Ruben Groenewoud <[email protected]> * remove user.name from detection_rules/etc/non-ecs-schema.json * fix json formatting --------- Co-authored-by: Ruben Groenewoud <[email protected]> Co-authored-by: Colson Wilhoit <[email protected]> Co-authored-by: Terrance DeJesus <[email protected]> Co-authored-by: Justin Ibarra <[email protected]> Co-authored-by: Mika Ayenson <[email protected]> (cherry picked from commit 4424358)
protectionsmachine
pushed a commit
that referenced
this pull request
Jan 22, 2024
* [New Rules] UEBA GItHub BBRs and Rules A new set of BBRs and rules that will be used to trigger new UEBA GitHub threshold Rules. * Update rules/integrations/github/impact_github_member_removed_from_organization.toml * Apply suggestions from code review Co-authored-by: Ruben Groenewoud <[email protected]> * edited BBR rules -removed newly added member rule * updated integration manifests and schemas * Updated min_stack for some rules based on newest GitHub integration schema manifest * testing min_stack bump to 8.8 for new fields * removing offending rule to troubleshoot seperately * added UEBA tags and created UEBA threshold rule * updated non-ecs-schema to add signal.rule.tags * updated non-ecs-schema with kibana.alert.workflow_status * updated rule.threat.tactic * added user.name to non-ecs-schema * added quotes to kibana.alert.workflow_status value * removed trailing space from rule name * update tags and optimize query for UEBA threshold rule * removed integration field from Higher-Order rule * Apply suggestions from code review Co-authored-by: Terrance DeJesus <[email protected]> * adjusted new_terms order and rule types based on review feedback * Apply suggestions from code review Co-authored-by: Ruben Groenewoud <[email protected]> * remove user.name from detection_rules/etc/non-ecs-schema.json * fix json formatting --------- Co-authored-by: Ruben Groenewoud <[email protected]> Co-authored-by: Colson Wilhoit <[email protected]> Co-authored-by: Terrance DeJesus <[email protected]> Co-authored-by: Justin Ibarra <[email protected]> Co-authored-by: Mika Ayenson <[email protected]> (cherry picked from commit 4424358)
protectionsmachine
pushed a commit
that referenced
this pull request
Jan 22, 2024
* [New Rules] UEBA GItHub BBRs and Rules A new set of BBRs and rules that will be used to trigger new UEBA GitHub threshold Rules. * Update rules/integrations/github/impact_github_member_removed_from_organization.toml * Apply suggestions from code review Co-authored-by: Ruben Groenewoud <[email protected]> * edited BBR rules -removed newly added member rule * updated integration manifests and schemas * Updated min_stack for some rules based on newest GitHub integration schema manifest * testing min_stack bump to 8.8 for new fields * removing offending rule to troubleshoot seperately * added UEBA tags and created UEBA threshold rule * updated non-ecs-schema to add signal.rule.tags * updated non-ecs-schema with kibana.alert.workflow_status * updated rule.threat.tactic * added user.name to non-ecs-schema * added quotes to kibana.alert.workflow_status value * removed trailing space from rule name * update tags and optimize query for UEBA threshold rule * removed integration field from Higher-Order rule * Apply suggestions from code review Co-authored-by: Terrance DeJesus <[email protected]> * adjusted new_terms order and rule types based on review feedback * Apply suggestions from code review Co-authored-by: Ruben Groenewoud <[email protected]> * remove user.name from detection_rules/etc/non-ecs-schema.json * fix json formatting --------- Co-authored-by: Ruben Groenewoud <[email protected]> Co-authored-by: Colson Wilhoit <[email protected]> Co-authored-by: Terrance DeJesus <[email protected]> Co-authored-by: Justin Ibarra <[email protected]> Co-authored-by: Mika Ayenson <[email protected]> (cherry picked from commit 4424358)
protectionsmachine
pushed a commit
that referenced
this pull request
Jan 22, 2024
* [New Rules] UEBA GItHub BBRs and Rules A new set of BBRs and rules that will be used to trigger new UEBA GitHub threshold Rules. * Update rules/integrations/github/impact_github_member_removed_from_organization.toml * Apply suggestions from code review Co-authored-by: Ruben Groenewoud <[email protected]> * edited BBR rules -removed newly added member rule * updated integration manifests and schemas * Updated min_stack for some rules based on newest GitHub integration schema manifest * testing min_stack bump to 8.8 for new fields * removing offending rule to troubleshoot seperately * added UEBA tags and created UEBA threshold rule * updated non-ecs-schema to add signal.rule.tags * updated non-ecs-schema with kibana.alert.workflow_status * updated rule.threat.tactic * added user.name to non-ecs-schema * added quotes to kibana.alert.workflow_status value * removed trailing space from rule name * update tags and optimize query for UEBA threshold rule * removed integration field from Higher-Order rule * Apply suggestions from code review Co-authored-by: Terrance DeJesus <[email protected]> * adjusted new_terms order and rule types based on review feedback * Apply suggestions from code review Co-authored-by: Ruben Groenewoud <[email protected]> * remove user.name from detection_rules/etc/non-ecs-schema.json * fix json formatting --------- Co-authored-by: Ruben Groenewoud <[email protected]> Co-authored-by: Colson Wilhoit <[email protected]> Co-authored-by: Terrance DeJesus <[email protected]> Co-authored-by: Justin Ibarra <[email protected]> Co-authored-by: Mika Ayenson <[email protected]> (cherry picked from commit 4424358)
protectionsmachine
pushed a commit
that referenced
this pull request
Jan 22, 2024
* [New Rules] UEBA GItHub BBRs and Rules A new set of BBRs and rules that will be used to trigger new UEBA GitHub threshold Rules. * Update rules/integrations/github/impact_github_member_removed_from_organization.toml * Apply suggestions from code review Co-authored-by: Ruben Groenewoud <[email protected]> * edited BBR rules -removed newly added member rule * updated integration manifests and schemas * Updated min_stack for some rules based on newest GitHub integration schema manifest * testing min_stack bump to 8.8 for new fields * removing offending rule to troubleshoot seperately * added UEBA tags and created UEBA threshold rule * updated non-ecs-schema to add signal.rule.tags * updated non-ecs-schema with kibana.alert.workflow_status * updated rule.threat.tactic * added user.name to non-ecs-schema * added quotes to kibana.alert.workflow_status value * removed trailing space from rule name * update tags and optimize query for UEBA threshold rule * removed integration field from Higher-Order rule * Apply suggestions from code review Co-authored-by: Terrance DeJesus <[email protected]> * adjusted new_terms order and rule types based on review feedback * Apply suggestions from code review Co-authored-by: Ruben Groenewoud <[email protected]> * remove user.name from detection_rules/etc/non-ecs-schema.json * fix json formatting --------- Co-authored-by: Ruben Groenewoud <[email protected]> Co-authored-by: Colson Wilhoit <[email protected]> Co-authored-by: Terrance DeJesus <[email protected]> Co-authored-by: Justin Ibarra <[email protected]> Co-authored-by: Mika Ayenson <[email protected]> (cherry picked from commit 4424358)
protectionsmachine
pushed a commit
that referenced
this pull request
Jan 22, 2024
* [New Rules] UEBA GItHub BBRs and Rules A new set of BBRs and rules that will be used to trigger new UEBA GitHub threshold Rules. * Update rules/integrations/github/impact_github_member_removed_from_organization.toml * Apply suggestions from code review Co-authored-by: Ruben Groenewoud <[email protected]> * edited BBR rules -removed newly added member rule * updated integration manifests and schemas * Updated min_stack for some rules based on newest GitHub integration schema manifest * testing min_stack bump to 8.8 for new fields * removing offending rule to troubleshoot seperately * added UEBA tags and created UEBA threshold rule * updated non-ecs-schema to add signal.rule.tags * updated non-ecs-schema with kibana.alert.workflow_status * updated rule.threat.tactic * added user.name to non-ecs-schema * added quotes to kibana.alert.workflow_status value * removed trailing space from rule name * update tags and optimize query for UEBA threshold rule * removed integration field from Higher-Order rule * Apply suggestions from code review Co-authored-by: Terrance DeJesus <[email protected]> * adjusted new_terms order and rule types based on review feedback * Apply suggestions from code review Co-authored-by: Ruben Groenewoud <[email protected]> * remove user.name from detection_rules/etc/non-ecs-schema.json * fix json formatting --------- Co-authored-by: Ruben Groenewoud <[email protected]> Co-authored-by: Colson Wilhoit <[email protected]> Co-authored-by: Terrance DeJesus <[email protected]> Co-authored-by: Justin Ibarra <[email protected]> Co-authored-by: Mika Ayenson <[email protected]> (cherry picked from commit 4424358)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Issues
https://github.com/elastic/ia-trade-team/issues/165
Summary
A new set of BBRs and rules that will be used to trigger a new UEBA GitHub threshold Rule.