GitHub Protected Branch Settings Changed

 1[metadata]
 2creation_date = "2023/08/29"
 3integration = ["github"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7updated_date = "2023/08/30"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12This rule detects setting modifications for protected branches of a GitHub repository. Branch protection rules 
13can be used to enforce certain workflows or requirements before a contributor can push changes to a branch in 
14your repository. Changes to these protected branch settings should be investigated and verified as legitimate 
15activity. Unauthorized changes could be used to lower your organization's security posture and leave you exposed 
16for future attacks. 
17"""
18from = "now-9m"
19index = ["logs-github.audit-*"]
20language = "eql"
21license = "Elastic License v2"
22name = "GitHub Protected Branch Settings Changed"
23risk_score = 47
24rule_id = "07639887-da3a-4fbf-9532-8ce748ff8c50"
25severity = "medium"
26tags = ["Domain: Cloud", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Github"]
27timestamp_override = "event.ingested"
28type = "eql"
29query = '''
30configuration where event.dataset == "github.audit" 
31  and github.category == "protected_branch" and event.type == "change" 
32'''
33
34[[rule.threat]]
35framework = "MITRE ATT&CK"
36[[rule.threat.technique]]
37id = "T1562"
38name = "Impair Defenses"
39reference = "https://attack.mitre.org/techniques/T1562/"
40[[rule.threat.technique.subtechnique]]
41id = "T1562.001"
42name = "Disable or Modify Tools"
43reference = "https://attack.mitre.org/techniques/T1562/001/"
44
45
46
47[rule.threat.tactic]
48id = "TA0005"
49name = "Defense Evasion"
50reference = "https://attack.mitre.org/tactics/TA0005/"