GitHub UEBA - Multiple Alerts from a GitHub Account

 1[metadata]
 2creation_date = "2023/12/14"
 3maturity = "production"
 4updated_date = "2025/01/15"
 5min_stack_version = "8.13.0"
 6min_stack_comments = "Breaking change at 8.13.0 for the Github Integration."
 7
 8[rule]
 9author = ["Elastic"]
10description = """
11This rule is part of the "GitHub UEBA - Unusual Activity from Account Pack", and leverages alert data to determine when
12multiple alerts are executed by the same user in a timespan of one hour. Analysts can use this to prioritize triage and
13response, as these alerts are a higher indicator of compromised user accounts or PATs.
14"""
15from = "now-60m"
16index = [".alerts-security.*"]
17language = "kuery"
18license = "Elastic License v2"
19name = "GitHub UEBA - Multiple Alerts from a GitHub Account"
20risk_score = 47
21rule_id = "929223b4-fba3-4a1c-a943-ec4716ad23ec"
22severity = "medium"
23tags = [
24    "Domain: Cloud",
25    "Use Case: Threat Detection",
26    "Use Case: UEBA",
27    "Tactic: Execution",
28    "Rule Type: Higher-Order Rule",
29    "Data Source: Github",
30    "Resources: Investigation Guide",
31]
32timestamp_override = "event.ingested"
33type = "threshold"
34
35query = '''
36signal.rule.tags:("Use Case: UEBA" and "Data Source: Github") and kibana.alert.workflow_status:"open"
37'''
38note = """## Triage and analysis
39
40> **Disclaimer**:
41> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
42
43### Investigating GitHub UEBA - Multiple Alerts from a GitHub Account
44
45User and Entity Behavior Analytics (UEBA) in GitHub environments helps identify unusual patterns that may indicate compromised accounts or tokens. Adversaries might exploit GitHub by executing multiple unauthorized actions within a short period. This detection rule flags such anomalies by monitoring for multiple alerts from the same user within an hour, aiding in prioritizing potential threats for further investigation.
46
47### Possible investigation steps
48
49- Review the alert details in the security dashboard to identify the specific user account associated with the multiple alerts.
50- Check the recent activity logs for the identified user in GitHub to determine the nature and frequency of actions performed within the alert timeframe.
51- Investigate any recent changes to the user's permissions or access levels that might have facilitated unusual activity.
52- Correlate the alert data with other security tools or logs to identify any additional suspicious behavior or related alerts involving the same user.
53- Contact the user to verify if the actions were legitimate or if they suspect their account or personal access token (PAT) might be compromised.
54- If a compromise is suspected, initiate a password reset and revoke any active PATs for the user, and monitor for any further suspicious activity.
55
56### False positive analysis
57
58- High-frequency automated workflows or CI/CD pipelines may trigger multiple alerts within an hour. Review these workflows to ensure they are legitimate and consider adding exceptions for known, non-threatening automation.
59- Developers or teams working on time-sensitive projects might perform numerous actions in a short period, leading to false positives. Identify these users or teams and create exceptions to prevent unnecessary alerts.
60- Scheduled tasks or scripts that interact with GitHub repositories can generate multiple alerts. Verify the legitimacy of these tasks and exclude them from the rule if they are deemed safe.
61- Frequent use of GitHub Actions or bots that perform repetitive tasks could be misinterpreted as suspicious activity. Confirm their purpose and add them to an allowlist if they are part of normal operations.
62- Consider implementing a review process for alerts that involve known trusted users or service accounts to quickly dismiss false positives without compromising security.
63
64### Response and remediation
65
66- Immediately isolate the affected GitHub account by revoking all active sessions and tokens to prevent further unauthorized actions.
67- Conduct a password reset for the compromised account and enforce multi-factor authentication (MFA) to enhance security.
68- Review recent activity logs for the affected account to identify any unauthorized changes or data exfiltration, and revert any malicious modifications.
69- Notify the account owner and relevant security teams about the potential compromise to ensure awareness and coordinated response efforts.
70- Escalate the incident to the security operations center (SOC) for further investigation and to determine if additional accounts or systems are affected.
71- Implement additional monitoring on the affected account and related systems to detect any further suspicious activity.
72- Update and refine access controls and permissions for the affected account to minimize the risk of future unauthorized actions."""
73
74
75[[rule.threat]]
76framework = "MITRE ATT&CK"
77
78[rule.threat.tactic]
79id = "TA0002"
80name = "Execution"
81reference = "https://attack.mitre.org/tactics/TA0002/"
82
83[rule.threshold]
84field = ["user.name"]
85value = 1
86[[rule.threshold.cardinality]]
87field = "signal.rule.name"
88value = 5