Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[New Rules] UEBA GItHub BBRs and Rules #3174

Merged
merged 35 commits into from
Jan 22, 2024
Merged

[New Rules] UEBA GItHub BBRs and Rules #3174

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
35 commits
Select commit Hold shift + click to select a range
5cf514a
[New Rules] UEBA GItHub BBRs and Rules
imays11 Oct 12, 2023
217c5ae
Update rules/integrations/github/impact_github_member_removed_from_or…
Aegrah Oct 17, 2023
3b38def
Apply suggestions from code review
imays11 Oct 18, 2023
d3bb722
edited BBR rules
imays11 Oct 18, 2023
2f1653d
Merge branch 'main' into github_ueba_rules
imays11 Oct 19, 2023
2f6cca2
Merge branch 'main' into github_ueba_rules
imays11 Oct 23, 2023
b9534ec
updated integration manifests and schemas
imays11 Oct 23, 2023
238a6a7
Merge branch 'main' into github_ueba_rules
imays11 Oct 23, 2023
ffa4d17
Updated min_stack for some rules based on newest GitHub integration s…
imays11 Oct 23, 2023
de5fb96
Merge branch 'github_ueba_rules' of https://github.com/elastic/detect…
imays11 Oct 23, 2023
d359004
testing min_stack bump to 8.8 for new fields
imays11 Oct 23, 2023
b875a1b
removing offending rule to troubleshoot seperately
imays11 Oct 24, 2023
9d7db63
Merge branch 'main' into github_ueba_rules
DefSecSentinel Oct 27, 2023
d964d95
added UEBA tags and created UEBA threshold rule
imays11 Dec 14, 2023
92df336
Merge branch 'main' into github_ueba_rules
imays11 Dec 14, 2023
1cddd32
updated non-ecs-schema to add signal.rule.tags
imays11 Dec 14, 2023
b38c279
updated non-ecs-schema with kibana.alert.workflow_status
imays11 Dec 14, 2023
b5cfd30
updated rule.threat.tactic
imays11 Dec 14, 2023
421ffef
added user.name to non-ecs-schema
imays11 Dec 14, 2023
e9f5bbb
added quotes to kibana.alert.workflow_status value
imays11 Dec 14, 2023
5893a72
removed trailing space from rule name
imays11 Dec 14, 2023
cde9081
update tags and optimize query for UEBA threshold rule
imays11 Dec 15, 2023
d4a88c6
Merge branch 'main' into github_ueba_rules
imays11 Dec 18, 2023
f97c6ea
removed integration field from Higher-Order rule
imays11 Dec 19, 2023
d6032d1
Apply suggestions from code review
imays11 Dec 20, 2023
099e65f
Merge branch 'main' into github_ueba_rules
imays11 Dec 21, 2023
826137c
adjusted new_terms order and rule types based on review feedback
imays11 Dec 21, 2023
5f58a4d
Apply suggestions from code review
imays11 Jan 3, 2024
8d57cfd
Merge branch 'main' into github_ueba_rules
imays11 Jan 3, 2024
9590630
Merge branch 'main' into github_ueba_rules
DefSecSentinel Jan 5, 2024
a173f8d
remove user.name from detection_rules/etc/non-ecs-schema.json
imays11 Jan 17, 2024
b0a2415
Merge branch 'main' into github_ueba_rules
imays11 Jan 17, 2024
e16f7d2
fix json formatting
brokensound77 Jan 17, 2024
ff74386
Merge branch 'main' into github_ueba_rules
Mikaayenson Jan 22, 2024
0c032e7
Merge branch 'main' into github_ueba_rules
imays11 Jan 22, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
45 changes: 45 additions & 0 deletions rules/integrations/github/execution_github_app_deleted.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,45 @@
[metadata]
creation_date = "2023/10/11"
integration = ["github"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/10/11"

[rule]
author = ["Elastic"]
description = """
Detects the deletion of a GitHub app either from a repo or an organization.
"""
from = "now-9m"
index = ["logs-github.audit-*"]
language = "eql"
license = "Elastic License v2"
name = "GitHub App Deleted"
risk_score = 21
rule_id = "fd01b949-81be-46d5-bcf8-284395d5f56d"
severity = "low"
tags = ["Domain: Cloud",
"Use Case: Threat Detection",
"Tactic: Execution",
"Data Source: Github"
]
timestamp_override = "event.ingested"
type = "eql"

query = '''
configuration where event.dataset == "github.audit" and github.category == "integration_installation" and event.type== "deletion"
imays11 marked this conversation as resolved.
Show resolved Hide resolved
'''

[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1648"
name = "Serverless Execution"
reference = "https://attack.mitre.org/techniques/T1648/"


[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"
45 changes: 45 additions & 0 deletions rules/integrations/github/impact_github_member_removed_from_organization.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,45 @@
[metadata]
creation_date = "2023/10/11"
integration = ["github"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/10/11"

[rule]
author = ["Elastic"]
description = """
A member was removed or their invitation to join was removed from a GitHub Organization.
"""
from = "now-9m"
index = ["logs-github.audit-*"]
language = "eql"
license = "Elastic License v2"
name = "Member Removed From GitHub Organization"
risk_score = 21
rule_id = "095b6a58-8f88-4b59-827c-ab584ad4e759"
severity = "low"
tags = ["Domain: Cloud",
imays11 marked this conversation as resolved.
Show resolved Hide resolved
"Use Case: Threat Detection",
"Tactic: Impact",
"Data Source: Github"
]
timestamp_override = "event.ingested"
type = "eql"

query = '''
onfiguration where event.dataset == "github.audit" and event.action == "org.remove_member"
Aegrah marked this conversation as resolved.
Show resolved Hide resolved
'''

[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1531"
name = "Account Access Removal"
reference = "https://attack.mitre.org/techniques/T1531/"


[rule.threat.tactic]
id = "TA0040"
name = "Impact"
reference = "https://attack.mitre.org/tactics/TA0040/"
48 changes: 48 additions & 0 deletions rules/integrations/github/persistence_github_new_user_added_to_organization.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,48 @@
[metadata]
creation_date = "2023/10/11"
integration = ["github"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/10/11"

[rule]
author = ["Elastic"]
description = """
A new user was added to a GitHub organization.
"""
from = "now-9m"
index = ["logs-github.audit-*"]
language = "eql"
license = "Elastic License v2"
name = "New User Added To GitHub Organization"
risk_score = 21
rule_id = "61336fe6-c043-4743-ab6e-41292f439603"
severity = "low"
tags = ["Domain: Cloud",
imays11 marked this conversation as resolved.
Show resolved Hide resolved
"Use Case: Threat Detection",
"Tactic: Persistence",
"Data Source: Github"
]
timestamp_override = "event.ingested"
type = "eql"

query = '''
configuration where event.dataset == "github.audit" and event.action == "org.add_member"
'''

[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1098"
name = "Account Manipulation"
reference = "https://attack.mitre.org/techniques/T1098/"
[[rule.threat.technique.subtechnique]]
id = "T1098.001"
name = "Additional Cloud Credentials"
reference = "https://attack.mitre.org/techniques/T1098/001/"

[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"
50 changes: 50 additions & 0 deletions rules_building_block/execution_github_high_number_of_cloned_repos_from_pat.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
[metadata]
creation_date = "2023/10/11"
integration = ["github"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/10/11"
bypass_bbr_timing = true

[rule]
author = ["Elastic"]
description = """
Detects a high number of repo clone events originating from a single personal access token within a 5 minute interval.
"""
from = "now-9m"
index = ["logs-github.audit-*"]
language = "eql"
license = "Elastic License v2"
name = "High Number of Cloned GitHub Repos From PAT"
risk_score = 21
rule_id = "fb0afac5-bbd6-49b0-b4f8-44e5381e1587"
severity = "low"
tags = ["Domain: Cloud",
"Use Case: Threat Detection",
"Tactic: Execution",
"Rule Type: BBR",
"Data Source: Github"
]
timestamp_override = "event.ingested"
type = "eql"
building_block_type = "default"
imays11 marked this conversation as resolved.
Show resolved Hide resolved

query = '''
sequence by github.hashed_token with maxspan=5m
imays11 marked this conversation as resolved.
Show resolved Hide resolved
[configuration where event.dataset == "github.audit" and event.action == "git.clone"
and github.programmatic_access_type in ("OAuth access token", "Fine-grained personal access token")] with runs=25
'''

[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1648"
name = "Serverless Execution"
reference = "https://attack.mitre.org/techniques/T1648/"


[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"
59 changes: 59 additions & 0 deletions rules_building_block/execution_github_new_application_interaction_for_pat.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
[metadata]
creation_date = "2023/10/11"
integration = ["github"]
maturity = "production"
min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6"
min_stack_version = "8.6.0"
updated_date = "2023/10/11"
bypass_bbr_timing = true

[rule]
author = ["Elastic"]
description = """
Detects a new application interaction event for a GitHub PAT not seen in the last 30 days.
"""
from = "now-9m"
index = ["logs-github.audit-*"]
language = "kuery"
license = "Elastic License v2"
name = "New Application Interaction For GitHub PAT"
risk_score = 21
rule_id = "9dc8ffb9-90ff-4fd1-8d25-1823eb347dad"
severity = "low"
tags = ["Domain: Cloud",
"Use Case: Threat Detection",
"Tactic: Execution",
"Rule Type: BBR",
"Data Source: Github"
]
timestamp_override = "event.ingested"
type = "new_terms"
building_block_type = "default"

query = '''
event.dataset: "github.audit" and event.category : "configuration" and
github.integration:* and github.hashed_token:*
and github.programmatic_access_type : ("OAuth access token" or "Fine-grained personal access token")
imays11 marked this conversation as resolved.
Show resolved Hide resolved
'''

[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1648"
name = "Serverless Execution"
reference = "https://attack.mitre.org/techniques/T1648/"


[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"


[rule.new_terms]
field = "new_terms_fields"
value = ["github.integration", "github.hashed_token"]

[[rule.new_terms.history_window_start]]
field = "history_window_start"
value = "now-30d"
imays11 marked this conversation as resolved.
Show resolved Hide resolved
59 changes: 59 additions & 0 deletions rules_building_block/execution_github_new_event_action_for_pat.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
[metadata]
creation_date = "2023/10/11"
integration = ["github"]
maturity = "production"
min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6"
min_stack_version = "8.6.0"
updated_date = "2023/10/11"
bypass_bbr_timing = true

[rule]
author = ["Elastic"]
description = """
Detects a new event.action for a GitHub PAT not seen in the last 30 days.
"""
from = "now-9m"
index = ["logs-github.audit-*"]
language = "kuery"
license = "Elastic License v2"
name = "New event.action For A GitHub PAT"
imays11 marked this conversation as resolved.
Show resolved Hide resolved
risk_score = 21
rule_id = "ce08b55a-f67d-4804-92b5-617b0fe5a5b5"
severity = "low"
tags = ["Domain: Cloud",
"Use Case: Threat Detection",
"Tactic: Execution",
"Rule Type: BBR",
"Data Source: Github"
]
timestamp_override = "event.ingested"
type = "new_terms"
building_block_type = "default"

query = '''
event.dataset: "github.audit" and event.category : "configuration" and
event.action:* and github.hashed_token:*
and github.programmatic_access_type : ("OAuth access token" or "Fine-grained personal access token")
imays11 marked this conversation as resolved.
Show resolved Hide resolved
'''

[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1648"
name = "Serverless Execution"
reference = "https://attack.mitre.org/techniques/T1648/"


[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"


[rule.new_terms]
field = "new_terms_fields"
value = ["event.action", "github.hashed_token"]

[[rule.new_terms.history_window_start]]
field = "history_window_start"
value = "now-30d"
59 changes: 59 additions & 0 deletions rules_building_block/execution_github_new_repo_interaction_for_pat.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
[metadata]
creation_date = "2023/10/11"
integration = ["github"]
maturity = "production"
min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6"
min_stack_version = "8.6.0"
updated_date = "2023/10/11"
bypass_bbr_timing = true

[rule]
author = ["Elastic"]
description = """
Detects a new repo interaction for a GitHub PAT not seen in the last 30 days.
"""
from = "now-9m"
index = ["logs-github.audit-*"]
language = "kuery"
license = "Elastic License v2"
name = "New Repo Interaction For GitHub PAT"
imays11 marked this conversation as resolved.
Show resolved Hide resolved
risk_score = 21
rule_id = "1e9b271c-8caa-4e20-aed8-e91e34de9283"
severity = "low"
tags = ["Domain: Cloud",
"Use Case: Threat Detection",
"Tactic: Execution",
"Rule Type: BBR",
"Data Source: Github"
]
timestamp_override = "event.ingested"
type = "new_terms"
building_block_type = "default"

query = '''
event.dataset: "github.audit" and event.category : "configuration"
and github.repo:* and github.hashed_token:*
and github.programmatic_access_type : ("OAuth access token" or "Fine-grained personal access token")
imays11 marked this conversation as resolved.
Show resolved Hide resolved
'''

[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1648"
name = "Serverless Execution"
reference = "https://attack.mitre.org/techniques/T1648/"


[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"


[rule.new_terms]
field = "new_terms_fields"
value = ["github.repo", "github.hashed_token"]

[[rule.new_terms.history_window_start]]
field = "history_window_start"
value = "now-30d"
Loading
Loading