New GitHub App Installed

 1[metadata]
 2creation_date = "2023/08/29"
 3integration = ["github"]
 4maturity = "production"
 5updated_date = "2025/03/20"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10This rule detects when a new GitHub App has been installed in your organization account. GitHub Apps extend GitHub's
11functionality both within and outside of GitHub. When an app is installed it is granted permissions to read or modify
12your repository and organization data. Only trusted apps should be installed and any newly installed apps should be
13investigated to verify their legitimacy. Unauthorized app installation could lower your organization's security posture
14and leave you exposed for future attacks.
15"""
16from = "now-9m"
17index = ["logs-github.audit-*"]
18language = "eql"
19license = "Elastic License v2"
20name = "New GitHub App Installed"
21note = """## Triage and analysis
22
23> **Disclaimer**:
24> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
25
26### Investigating New GitHub App Installed
27
28GitHub Apps enhance functionality by integrating with repositories and organization data, requiring careful scrutiny upon installation. Adversaries may exploit these apps to gain unauthorized access or manipulate data. The detection rule monitors audit logs for new app installations, flagging potential threats by identifying unauthorized or suspicious integrations, thus safeguarding organizational security.
29
30### Possible investigation steps
31
32- Review the audit logs for the specific event.dataset "github.audit" and event.action "integration_installation.create" to identify the newly installed GitHub App.
33- Verify the identity of the user or service account that performed the installation to ensure it aligns with expected behavior and authorized personnel.
34- Check the permissions requested by the newly installed app to assess the level of access it has to your repositories and organization data.
35- Cross-reference the app with a list of approved or trusted applications within your organization to determine if it is authorized.
36- Investigate the app's developer or vendor to ensure they are reputable and have a history of secure and reliable applications.
37- Communicate with the team or individual responsible for the installation to confirm the app's purpose and necessity within the organization.
38
39### False positive analysis
40
41- Frequent installations of trusted internal apps may trigger alerts. To manage this, maintain a list of approved internal apps and create exceptions for these in the detection rule.
42- Automated deployment tools that integrate with GitHub might cause false positives. Identify these tools and exclude their installation events from triggering alerts.
43- Regular updates or re-installations of existing apps can be mistaken for new installations. Track app version updates separately and adjust the rule to differentiate between updates and new installations.
44- Development or testing environments often install and remove apps frequently. Consider excluding these environments from the rule or setting up a separate monitoring process for them.
45
46### Response and remediation
47
48- Immediately revoke the permissions of the newly installed GitHub App to prevent any unauthorized access or data manipulation.
49- Notify the security team and relevant stakeholders about the unauthorized app installation for awareness and further investigation.
50- Conduct a review of recent repository and organization changes to identify any unauthorized modifications or data access that may have occurred.
51- If malicious activity is detected, initiate a rollback of affected repositories to a secure state prior to the app installation.
52- Escalate the incident to higher-level security management if the app installation is linked to a broader security breach or if sensitive data has been compromised.
53- Implement stricter access controls and approval processes for future GitHub App installations to prevent unauthorized installations.
54- Update detection mechanisms to include additional indicators of compromise related to GitHub App installations, enhancing future threat detection capabilities."""
55risk_score = 47
56rule_id = "1ca62f14-4787-4913-b7af-df11745a49da"
57severity = "medium"
58tags = [
59    "Domain: Cloud",
60    "Use Case: Threat Detection",
61    "Tactic: Execution",
62    "Data Source: Github",
63    "Resources: Investigation Guide",
64]
65timestamp_override = "event.ingested"
66type = "eql"
67
68query = '''
69configuration where event.dataset == "github.audit" and event.action == "integration_installation.create"
70'''
71
72
73[[rule.threat]]
74framework = "MITRE ATT&CK"
75[[rule.threat.technique]]
76id = "T1072"
77name = "Software Deployment Tools"
78reference = "https://attack.mitre.org/techniques/T1072/"
79
80
81[rule.threat.tactic]
82id = "TA0002"
83name = "Execution"
84reference = "https://attack.mitre.org/tactics/TA0002/"