High Number of Cloned GitHub Repos From PAT
Detects a high number of unique private repo clone events originating from a single personal access token within a short time period.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/10/11"
3integration = ["github"]
4maturity = "production"
5min_stack_comments = "New fields added to GitHub Integration"
6min_stack_version = "8.8.0"
7updated_date = "2023/12/14"
8
9[rule]
10author = ["Elastic"]
11description = """
12Detects a high number of unique private repo clone events originating from a single personal access token within a short time period.
13"""
14from = "now-6m"
15index = ["logs-github.audit-*"]
16language = "kuery"
17license = "Elastic License v2"
18name = "High Number of Cloned GitHub Repos From PAT"
19risk_score = 21
20rule_id = "fb0afac5-bbd6-49b0-b4f8-44e5381e1587"
21severity = "low"
22tags = ["Domain: Cloud",
23 "Use Case: Threat Detection",
24 "Use Case: UEBA",
25 "Tactic: Execution",
26 "Data Source: Github"
27 ]
28timestamp_override = "event.ingested"
29type = "threshold"
30
31query = '''
32event.dataset:"github.audit" and event.category:"configuration" and event.action:"git.clone" and
33github.programmatic_access_type:("OAuth access token" or "Fine-grained personal access token") and
34github.repository_public:false
35'''
36
37[[rule.threat]]
38framework = "MITRE ATT&CK"
39[[rule.threat.technique]]
40id = "T1648"
41name = "Serverless Execution"
42reference = "https://attack.mitre.org/techniques/T1648/"
43
44
45[rule.threat.tactic]
46id = "TA0002"
47name = "Execution"
48reference = "https://attack.mitre.org/tactics/TA0002/"
49
50[rule.threshold]
51field = ["github.hashed_token"]
52value = 1
53
54[[rule.threshold.cardinality]]
55field = "github.repo"
56value = 10
Related rules
- GitHub UEBA - Multiple Alerts from a GitHub Account
- GitHub App Deleted
- GitHub Owner Role Granted To User
- GitHub Repository Deleted
- New GitHub Owner Added