High Number of Cloned GitHub Repos From PAT

Detects a high number of unique private repo clone events originating from a single personal access token within a short time period.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2023/10/11"
 3integration = ["github"]
 4maturity = "production"
 5updated_date = "2024/05/21"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Detects a high number of unique private repo clone events originating from a single personal access token within a short
11time period.
12"""
13from = "now-6m"
14index = ["logs-github.audit-*"]
15language = "kuery"
16license = "Elastic License v2"
17name = "High Number of Cloned GitHub Repos From PAT"
18risk_score = 21
19rule_id = "fb0afac5-bbd6-49b0-b4f8-44e5381e1587"
20severity = "low"
21tags = [
22    "Domain: Cloud",
23    "Use Case: Threat Detection",
24    "Use Case: UEBA",
25    "Tactic: Execution",
26    "Data Source: Github",
27]
28timestamp_override = "event.ingested"
29type = "threshold"
30
31query = '''
32event.dataset:"github.audit" and event.category:"configuration" and event.action:"git.clone" and 
33github.programmatic_access_type:("OAuth access token" or "Fine-grained personal access token") and 
34github.repository_public:false
35'''
36
37
38[[rule.threat]]
39framework = "MITRE ATT&CK"
40[[rule.threat.technique]]
41id = "T1648"
42name = "Serverless Execution"
43reference = "https://attack.mitre.org/techniques/T1648/"
44
45
46[rule.threat.tactic]
47id = "TA0002"
48name = "Execution"
49reference = "https://attack.mitre.org/tactics/TA0002/"
50
51[rule.threshold]
52field = ["github.hashed_token"]
53value = 1
54[[rule.threshold.cardinality]]
55field = "github.repo"
56value = 10

Related rules

to-top