GitHub UEBA - Multiple Alerts from a GitHub Account
This rule is part of the "GitHub UEBA - Unusual Activity from Account Pack", and leverages alert data to determine when multiple alerts are executed by the same user in a timespan of one hour. Analysts can use this to prioritize triage and response, as these alerts are a higher indicator of compromised user accounts or PATs.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/12/14"
3maturity = "production"
4updated_date = "2024/05/21"
5
6[rule]
7author = ["Elastic"]
8description = """
9This rule is part of the "GitHub UEBA - Unusual Activity from Account Pack", and leverages alert data to determine when
10multiple alerts are executed by the same user in a timespan of one hour. Analysts can use this to prioritize triage and
11response, as these alerts are a higher indicator of compromised user accounts or PATs.
12"""
13from = "now-60m"
14index = [".alerts-security.*"]
15language = "kuery"
16license = "Elastic License v2"
17name = "GitHub UEBA - Multiple Alerts from a GitHub Account"
18risk_score = 47
19rule_id = "929223b4-fba3-4a1c-a943-ec4716ad23ec"
20severity = "medium"
21tags = [
22 "Domain: Cloud",
23 "Use Case: Threat Detection",
24 "Use Case: UEBA",
25 "Tactic: Execution",
26 "Rule Type: Higher-Order Rule",
27 "Data Source: Github",
28]
29timestamp_override = "event.ingested"
30type = "threshold"
31
32query = '''
33signal.rule.tags:("Use Case: UEBA" and "Data Source: Github") and kibana.alert.workflow_status:"open"
34'''
35
36
37[[rule.threat]]
38framework = "MITRE ATT&CK"
39
40[rule.threat.tactic]
41id = "TA0002"
42name = "Execution"
43reference = "https://attack.mitre.org/tactics/TA0002/"
44
45[rule.threshold]
46field = ["user.name"]
47value = 1
48[[rule.threshold.cardinality]]
49field = "signal.rule.name"
50value = 5
Related rules
- High Number of Cloned GitHub Repos From PAT
- GitHub App Deleted
- GitHub Owner Role Granted To User
- GitHub Repository Deleted
- New GitHub App Installed