GitHub UEBA - Multiple Alerts from a GitHub Account
This rule is part of the "GitHub UEBA - Unusual Activity from Account Pack", and leverages alert data to determine when multiple alerts are executed by the same user in a timespan of one hour. Analysts can use this to prioritize triage and response, as these alerts are a higher indicator of compromised user accounts or PATs.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/12/14"
3maturity = "production"
4min_stack_comments = "New fields added: required_fields, related_integrations, setup"
5min_stack_version = "8.3.0"
6updated_date = "2023/12/18"
7
8[rule]
9author = ["Elastic"]
10description = """
11This rule is part of the "GitHub UEBA - Unusual Activity from Account Pack", and leverages alert data to
12determine when multiple alerts are executed by the same user in a timespan of one hour.
13Analysts can use this to prioritize triage and response, as these alerts are a higher indicator of compromised user
14accounts or PATs.
15"""
16from = "now-60m"
17index = [".alerts-security.*"]
18language = "kuery"
19license = "Elastic License v2"
20name = "GitHub UEBA - Multiple Alerts from a GitHub Account"
21risk_score = 47
22rule_id = "929223b4-fba3-4a1c-a943-ec4716ad23ec"
23severity = "medium"
24tags = ["Domain: Cloud",
25 "Use Case: Threat Detection",
26 "Use Case: UEBA",
27 "Tactic: Execution",
28 "Rule Type: Higher-Order Rule",
29 "Data Source: Github"
30 ]
31timestamp_override = "event.ingested"
32type = "threshold"
33
34query = '''
35signal.rule.tags:("Use Case: UEBA" and "Data Source: Github") and kibana.alert.workflow_status:"open"
36'''
37
38[[rule.threat]]
39framework = "MITRE ATT&CK"
40
41[rule.threat.tactic]
42id = "TA0002"
43name = "Execution"
44reference = "https://attack.mitre.org/tactics/TA0002/"
45
46[rule.threshold]
47field = ["user.name"]
48value = 1
49
50[[rule.threshold.cardinality]]
51field = "signal.rule.name"
52value = 5
Related rules
- High Number of Cloned GitHub Repos From PAT
- GitHub App Deleted
- GitHub Owner Role Granted To User
- GitHub Repository Deleted
- New GitHub Owner Added