Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[New Rules] UEBA GItHub BBRs and Rules #3174

Merged
merged 35 commits into from
Jan 22, 2024
Merged

[New Rules] UEBA GItHub BBRs and Rules #3174

Show file tree
Hide file tree
Changes from 32 commits
Commits
Show all changes
35 commits
Select commit Hold shift + click to select a range
5cf514a
[New Rules] UEBA GItHub BBRs and Rules
imays11 Oct 12, 2023
217c5ae
Update rules/integrations/github/impact_github_member_removed_from_or…
Aegrah Oct 17, 2023
3b38def
Apply suggestions from code review
imays11 Oct 18, 2023
d3bb722
edited BBR rules
imays11 Oct 18, 2023
2f1653d
Merge branch 'main' into github_ueba_rules
imays11 Oct 19, 2023
2f6cca2
Merge branch 'main' into github_ueba_rules
imays11 Oct 23, 2023
b9534ec
updated integration manifests and schemas
imays11 Oct 23, 2023
238a6a7
Merge branch 'main' into github_ueba_rules
imays11 Oct 23, 2023
ffa4d17
Updated min_stack for some rules based on newest GitHub integration s…
imays11 Oct 23, 2023
de5fb96
Merge branch 'github_ueba_rules' of https://github.com/elastic/detect…
imays11 Oct 23, 2023
d359004
testing min_stack bump to 8.8 for new fields
imays11 Oct 23, 2023
b875a1b
removing offending rule to troubleshoot seperately
imays11 Oct 24, 2023
9d7db63
Merge branch 'main' into github_ueba_rules
DefSecSentinel Oct 27, 2023
d964d95
added UEBA tags and created UEBA threshold rule
imays11 Dec 14, 2023
92df336
Merge branch 'main' into github_ueba_rules
imays11 Dec 14, 2023
1cddd32
updated non-ecs-schema to add signal.rule.tags
imays11 Dec 14, 2023
b38c279
updated non-ecs-schema with kibana.alert.workflow_status
imays11 Dec 14, 2023
b5cfd30
updated rule.threat.tactic
imays11 Dec 14, 2023
421ffef
added user.name to non-ecs-schema
imays11 Dec 14, 2023
e9f5bbb
added quotes to kibana.alert.workflow_status value
imays11 Dec 14, 2023
5893a72
removed trailing space from rule name
imays11 Dec 14, 2023
cde9081
update tags and optimize query for UEBA threshold rule
imays11 Dec 15, 2023
d4a88c6
Merge branch 'main' into github_ueba_rules
imays11 Dec 18, 2023
f97c6ea
removed integration field from Higher-Order rule
imays11 Dec 19, 2023
d6032d1
Apply suggestions from code review
imays11 Dec 20, 2023
099e65f
Merge branch 'main' into github_ueba_rules
imays11 Dec 21, 2023
826137c
adjusted new_terms order and rule types based on review feedback
imays11 Dec 21, 2023
5f58a4d
Apply suggestions from code review
imays11 Jan 3, 2024
8d57cfd
Merge branch 'main' into github_ueba_rules
imays11 Jan 3, 2024
9590630
Merge branch 'main' into github_ueba_rules
DefSecSentinel Jan 5, 2024
a173f8d
remove user.name from detection_rules/etc/non-ecs-schema.json
imays11 Jan 17, 2024
b0a2415
Merge branch 'main' into github_ueba_rules
imays11 Jan 17, 2024
e16f7d2
fix json formatting
brokensound77 Jan 17, 2024
ff74386
Merge branch 'main' into github_ueba_rules
Mikaayenson Jan 22, 2024
0c032e7
Merge branch 'main' into github_ueba_rules
imays11 Jan 22, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 3 additions & 1 deletion detection_rules/etc/non-ecs-schema.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -115,9 +115,11 @@
},
".alerts-security.*": {
"signal.rule.name": "keyword",
"signal.rule.tags": "keyword",
"signal.rule.threat.tactic.name": "keyword",
"kibana.alert.rule.threat.tactic.id": "keyword",
"kibana.alert.rule.rule_id": "keyword"
"kibana.alert.workflow_status": "keyword",
"kibana.alert.rule.rule_id": "keyword",
brokensound77 marked this conversation as resolved.
Show resolved Hide resolved
},
"logs-google_workspace*": {
"gsuite.admin": "keyword",
Expand Down
45 changes: 45 additions & 0 deletions rules/integrations/github/execution_github_app_deleted.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,45 @@
[metadata]
creation_date = "2023/10/11"
integration = ["github"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/10/11"

[rule]
author = ["Elastic"]
description = """
Detects the deletion of a GitHub app either from a repo or an organization.
"""
from = "now-9m"
index = ["logs-github.audit-*"]
language = "eql"
license = "Elastic License v2"
name = "GitHub App Deleted"
risk_score = 21
rule_id = "fd01b949-81be-46d5-bcf8-284395d5f56d"
severity = "low"
tags = ["Domain: Cloud",
"Use Case: Threat Detection",
"Tactic: Execution",
"Data Source: Github"
]
timestamp_override = "event.ingested"
type = "eql"

query = '''
configuration where event.dataset == "github.audit" and github.category == "integration_installation" and event.type == "deletion"
'''

[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1648"
name = "Serverless Execution"
reference = "https://attack.mitre.org/techniques/T1648/"


[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"
56 changes: 56 additions & 0 deletions rules/integrations/github/execution_github_high_number_of_cloned_repos_from_pat.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,56 @@
[metadata]
creation_date = "2023/10/11"
integration = ["github"]
maturity = "production"
min_stack_comments = "New fields added to GitHub Integration"
min_stack_version = "8.8.0"
updated_date = "2023/12/14"

[rule]
author = ["Elastic"]
description = """
Detects a high number of unique private repo clone events originating from a single personal access token within a short time period.
"""
from = "now-6m"
index = ["logs-github.audit-*"]
language = "kuery"
license = "Elastic License v2"
name = "High Number of Cloned GitHub Repos From PAT"
risk_score = 21
rule_id = "fb0afac5-bbd6-49b0-b4f8-44e5381e1587"
severity = "low"
tags = ["Domain: Cloud",
"Use Case: Threat Detection",
"Use Case: UEBA",
"Tactic: Execution",
"Data Source: Github"
]
timestamp_override = "event.ingested"
type = "threshold"

query = '''
event.dataset:"github.audit" and event.category:"configuration" and event.action:"git.clone" and
github.programmatic_access_type:("OAuth access token" or "Fine-grained personal access token") and
github.repository_public:false
'''

[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1648"
name = "Serverless Execution"
reference = "https://attack.mitre.org/techniques/T1648/"


[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"

[rule.threshold]
field = ["github.hashed_token"]
value = 1

[[rule.threshold.cardinality]]
field = "github.repo"
value = 10
52 changes: 52 additions & 0 deletions rules/integrations/github/execution_github_ueba_multiple_behavior_alerts_from_account.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,52 @@
[metadata]
creation_date = "2023/12/14"
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/12/18"

[rule]
author = ["Elastic"]
description = """
This rule is part of the "GitHub UEBA - Unusual Activity from Account Pack", and leverages alert data to
determine when multiple alerts are executed by the same user in a timespan of one hour.
Analysts can use this to prioritize triage and response, as these alerts are a higher indicator of compromised user
accounts or PATs.
"""
from = "now-60m"
index = [".alerts-security.*"]
language = "kuery"
license = "Elastic License v2"
name = "GitHub UEBA - Multiple Alerts from a GitHub Account"
risk_score = 47
rule_id = "929223b4-fba3-4a1c-a943-ec4716ad23ec"
severity = "medium"
tags = ["Domain: Cloud",
imays11 marked this conversation as resolved.
Show resolved Hide resolved
"Use Case: Threat Detection",
"Use Case: UEBA",
"Tactic: Execution",
"Rule Type: Higher-Order Rule",
"Data Source: Github"
]
timestamp_override = "event.ingested"
type = "threshold"

query = '''
signal.rule.tags:("Use Case: UEBA" and "Data Source: Github") and kibana.alert.workflow_status:"open"
Copy link
Contributor

@terrancedejesus terrancedejesus Dec 19, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd caution on using tags as part of detection logic. The tags use a specific format that is custom to TRaDE whereas upstream there is no standardization requirements. As a result, we are assuming that prebuilt or custom rules HAVE to have these tags.

As a possible alternative, the alert schema does carry event.dataset in documents within the .alerts-security.* data view or index patterns. As a result, we can search in alert documents for event.dataset:github and find the same documents. event.dataset is in ECS, therefore we are safe to assume this will be consistent.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@terrancedejesus what would you suggest for the "Use Case: UEBA" tag that distinguishes which rules should be part of the threshold?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes @terrancedejesus this is something we have also explored. We ended up settling (for now) on leveraging the UEBA tag in conjunction with either another tag or with (as you mention) an event.dataset value. There are for now as far as we know no other reliable methods of applying this filter. Unless we add a specific new field to the rule, a boolean for whether or not a rule is part of a UEBA pack.

'''

[[rule.threat]]
framework = "MITRE ATT&CK"

[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"

[rule.threshold]
field = ["user.name"]
value = 1

[[rule.threshold.cardinality]]
field = "signal.rule.name"
value = 5
10 changes: 7 additions & 3 deletions rules/integrations/github/impact_github_repository_deleted.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ integration = ["github"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/08/29"
updated_date = "2023/12/14"

[rule]
author = ["Elastic"]
Expand All @@ -24,7 +24,12 @@ name = "GitHub Repository Deleted"
risk_score = 47
rule_id = "345889c4-23a8-4bc0-b7ca-756bd17ce83b"
severity = "medium"
tags = ["Domain: Cloud", "Use Case: Threat Detection", "Tactic: Impact", "Data Source: Github"]
tags = ["Domain: Cloud",
imays11 marked this conversation as resolved.
Show resolved Hide resolved
"Use Case: Threat Detection",
"Use Case: UEBA",
"Tactic: Impact",
"Data Source: Github"
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
Expand All @@ -44,4 +49,3 @@ reference = "https://attack.mitre.org/techniques/T1485/"
id = "TA0040"
name = "Impact"
reference = "https://attack.mitre.org/tactics/TA0040/"

9 changes: 7 additions & 2 deletions rules/integrations/github/persistence_github_org_owner_added.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ integration = ["github"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/09/11"
updated_date = "2023/12/14"

[rule]
author = ["Elastic"]
Expand All @@ -21,7 +21,12 @@ name = "New GitHub Owner Added"
risk_score = 47
rule_id = "24401eca-ad0b-4ff9-9431-487a8e183af9"
severity = "medium"
tags = ["Domain: Cloud", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Github"]
tags = ["Domain: Cloud",
imays11 marked this conversation as resolved.
Show resolved Hide resolved
"Use Case: Threat Detection",
"Use Case: UEBA",
"Tactic: Persistence",
"Data Source: Github"
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
Expand Down
9 changes: 7 additions & 2 deletions rules/integrations/github/persistence_organization_owner_role_granted.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ integration = ["github"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/09/11"
updated_date = "2023/12/14"

[rule]
author = ["Elastic"]
Expand All @@ -21,7 +21,12 @@ name = "GitHub Owner Role Granted To User"
risk_score = 47
rule_id = "9b343b62-d173-4cfd-bd8b-e6379f964ca4"
severity = "medium"
tags = ["Domain: Cloud", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Github"]
tags = ["Domain: Cloud",
"Use Case: Threat Detection",
"Use Case: UEBA",
"Tactic: Persistence",
"Data Source: Github"
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
Expand Down
60 changes: 60 additions & 0 deletions rules_building_block/execution_github_new_event_action_for_pat.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,60 @@
[metadata]
bypass_bbr_timing = true
creation_date = "2023/10/11"
integration = ["github"]
maturity = "production"
min_stack_comments = "New fields added to GitHub Integration"
min_stack_version = "8.8.0"
updated_date = "2023/12/14"

[rule]
author = ["Elastic"]
building_block_type = "default"
description = """
Detects a first occurrence event for a personal access token (PAT) not seen in the last 14 days.
"""
from = "now-9m"
index = ["logs-github.audit-*"]
language = "kuery"
license = "Elastic License v2"
name = "First Occurrence GitHub Event for a Personal Access Token (PAT)"
risk_score = 21
rule_id = "ce08b55a-f67d-4804-92b5-617b0fe5a5b5"
severity = "low"
tags = ["Domain: Cloud",
"Use Case: Threat Detection",
"Use Case: UEBA",
"Tactic: Execution",
"Rule Type: BBR",
"Data Source: Github"
]
timestamp_override = "event.ingested"
type = "new_terms"

query = '''
event.dataset:"github.audit" and event.category:"configuration" and
event.action:* and github.hashed_token:* and
github.programmatic_access_type:("OAuth access token" or "Fine-grained personal access token")
imays11 marked this conversation as resolved.
Show resolved Hide resolved
'''

[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1648"
name = "Serverless Execution"
reference = "https://attack.mitre.org/techniques/T1648/"


[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"


[rule.new_terms]
field = "new_terms_fields"
value = ["github.hashed_token", "event.action"]

[[rule.new_terms.history_window_start]]
field = "history_window_start"
value = "now-14d"
61 changes: 61 additions & 0 deletions rules_building_block/execution_github_new_repo_interaction_for_pat.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,61 @@
[metadata]
bypass_bbr_timing = true
creation_date = "2023/10/11"
integration = ["github"]
maturity = "production"
min_stack_comments = "New fields added to GitHub Integration"
min_stack_version = "8.8.0"
updated_date = "2023/12/14"

[rule]
author = ["Elastic"]
building_block_type = "default"
description = """
Detects a new private repo interaction for a GitHub PAT not seen in the last 14 days.
"""
from = "now-9m"
index = ["logs-github.audit-*"]
language = "kuery"
license = "Elastic License v2"
name = "First Occurrence of Private Repo Event from Specific GitHub Personal Access Token (PAT)"
risk_score = 21
rule_id = "1e9b271c-8caa-4e20-aed8-e91e34de9283"
severity = "low"
tags = ["Domain: Cloud",
"Use Case: Threat Detection",
"Use Case: UEBA",
"Tactic: Execution",
"Rule Type: BBR",
"Data Source: Github"
]
timestamp_override = "event.ingested"
type = "new_terms"

query = '''
event.dataset:"github.audit" and event.category:"configuration" and
github.repo:* and github.hashed_token:* and
github.programmatic_access_type:("OAuth access token" or "Fine-grained personal access token") and
github.repository_public:false
'''

[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1648"
name = "Serverless Execution"
reference = "https://attack.mitre.org/techniques/T1648/"


[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"


[rule.new_terms]
field = "new_terms_fields"
value = ["github.hashed_token", "github.repo"]

[[rule.new_terms.history_window_start]]
field = "history_window_start"
value = "now-14d"
Loading
Loading