GitHub UEBA - Multiple Alerts from a GitHub Account

 1[metadata]
 2creation_date = "2023/12/14"
 3maturity = "production"
 4min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 5min_stack_version = "8.3.0"
 6updated_date = "2023/12/18"
 7
 8[rule]
 9author = ["Elastic"]
10description = """
11This rule is part of the "GitHub UEBA - Unusual Activity from Account Pack", and leverages alert data to
12determine when multiple alerts are executed by the same user in a timespan of one hour. 
13Analysts can use this to prioritize triage and response, as these alerts are a higher indicator of compromised user
14accounts or PATs.
15"""
16from = "now-60m"
17index = [".alerts-security.*"]
18language = "kuery"
19license = "Elastic License v2"
20name = "GitHub UEBA - Multiple Alerts from a GitHub Account"
21risk_score = 47
22rule_id = "929223b4-fba3-4a1c-a943-ec4716ad23ec"
23severity = "medium"
24tags = ["Domain: Cloud",
25        "Use Case: Threat Detection",
26        "Use Case: UEBA",
27        "Tactic: Execution",
28        "Rule Type: Higher-Order Rule",
29        "Data Source: Github"
30        ]
31timestamp_override = "event.ingested"
32type = "threshold"
33
34query = '''
35signal.rule.tags:("Use Case: UEBA" and "Data Source: Github") and kibana.alert.workflow_status:"open"
36'''
37
38[[rule.threat]]
39framework = "MITRE ATT&CK"
40
41[rule.threat.tactic]
42id = "TA0002"
43name = "Execution"
44reference = "https://attack.mitre.org/tactics/TA0002/"
45
46[rule.threshold]
47field = ["user.name"]
48value = 1
49
50[[rule.threshold.cardinality]]
51field = "signal.rule.name"
52value = 5