High Number of Cloned GitHub Repos From PAT
Detects a high number of unique private repo clone events originating from a single personal access token within a short time period.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/10/11"
3integration = ["github"]
4maturity = "production"
5updated_date = "2024/12/10"
6min_stack_version = "8.13.0"
7min_stack_comments = "Breaking change at 8.13.0 for the Github Integration."
8
9[rule]
10author = ["Elastic"]
11description = """
12Detects a high number of unique private repo clone events originating from a single personal access token within a short
13time period.
14"""
15from = "now-6m"
16index = ["logs-github.audit-*"]
17language = "kuery"
18license = "Elastic License v2"
19name = "High Number of Cloned GitHub Repos From PAT"
20risk_score = 21
21rule_id = "fb0afac5-bbd6-49b0-b4f8-44e5381e1587"
22severity = "low"
23tags = [
24 "Domain: Cloud",
25 "Use Case: Threat Detection",
26 "Use Case: UEBA",
27 "Tactic: Execution",
28 "Data Source: Github",
29]
30timestamp_override = "event.ingested"
31type = "threshold"
32
33query = '''
34event.dataset:"github.audit" and event.category:"configuration" and event.action:"git.clone" and
35github.programmatic_access_type:("OAuth access token" or "Fine-grained personal access token") and
36github.repository_public:false
37'''
38
39
40[[rule.threat]]
41framework = "MITRE ATT&CK"
42[[rule.threat.technique]]
43id = "T1648"
44name = "Serverless Execution"
45reference = "https://attack.mitre.org/techniques/T1648/"
46
47
48[rule.threat.tactic]
49id = "TA0002"
50name = "Execution"
51reference = "https://attack.mitre.org/tactics/TA0002/"
52
53[rule.threshold]
54field = ["github.hashed_token"]
55value = 1
56[[rule.threshold.cardinality]]
57field = "github.repo"
58value = 10
Related rules
- GitHub UEBA - Multiple Alerts from a GitHub Account
- GitHub App Deleted
- GitHub Owner Role Granted To User
- GitHub Repository Deleted
- New GitHub App Installed