GitHub UEBA - Multiple Alerts from a GitHub Account

 1[metadata]
 2creation_date = "2023/12/14"
 3maturity = "production"
 4updated_date = "2024/12/10"
 5min_stack_version = "8.13.0"
 6min_stack_comments = "Breaking change at 8.13.0 for the Github Integration."
 7
 8[rule]
 9author = ["Elastic"]
10description = """
11This rule is part of the "GitHub UEBA - Unusual Activity from Account Pack", and leverages alert data to determine when
12multiple alerts are executed by the same user in a timespan of one hour. Analysts can use this to prioritize triage and
13response, as these alerts are a higher indicator of compromised user accounts or PATs.
14"""
15from = "now-60m"
16index = [".alerts-security.*"]
17language = "kuery"
18license = "Elastic License v2"
19name = "GitHub UEBA - Multiple Alerts from a GitHub Account"
20risk_score = 47
21rule_id = "929223b4-fba3-4a1c-a943-ec4716ad23ec"
22severity = "medium"
23tags = [
24    "Domain: Cloud",
25    "Use Case: Threat Detection",
26    "Use Case: UEBA",
27    "Tactic: Execution",
28    "Rule Type: Higher-Order Rule",
29    "Data Source: Github",
30]
31timestamp_override = "event.ingested"
32type = "threshold"
33
34query = '''
35signal.rule.tags:("Use Case: UEBA" and "Data Source: Github") and kibana.alert.workflow_status:"open"
36'''
37
38
39[[rule.threat]]
40framework = "MITRE ATT&CK"
41
42[rule.threat.tactic]
43id = "TA0002"
44name = "Execution"
45reference = "https://attack.mitre.org/tactics/TA0002/"
46
47[rule.threshold]
48field = ["user.name"]
49value = 1
50[[rule.threshold.cardinality]]
51field = "signal.rule.name"
52value = 5