High Number of Closed Pull Requests by User
Detects a high number of closed pull requests by a single user within a short time frame. Adversaries may close multiple pull requests to disrupt development workflows or hide malicious changes.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2025/12/16"
3integration = ["github"]
4maturity = "production"
5updated_date = "2025/12/16"
6
7[rule]
8author = ["Elastic"]
9description = """
10Detects a high number of closed pull requests by a single user within a short time frame. Adversaries may
11close multiple pull requests to disrupt development workflows or hide malicious changes.
12"""
13from = "now-9m"
14interval = "8m"
15language = "esql"
16license = "Elastic License v2"
17name = "High Number of Closed Pull Requests by User"
18references = [
19 "https://www.wiz.io/blog/shai-hulud-2-0-ongoing-supply-chain-attack",
20 "https://trigger.dev/blog/shai-hulud-postmortem",
21 "https://posthog.com/blog/nov-24-shai-hulud-attack-post-mortem",
22]
23risk_score = 47
24rule_id = "098bd5cc-fd55-438f-b354-7d6cd9856a08"
25severity = "medium"
26tags = [
27 "Domain: Cloud",
28 "Use Case: Threat Detection",
29 "Tactic: Impact",
30 "Tactic: Exfiltration",
31 "Data Source: Github",
32]
33timestamp_override = "event.ingested"
34type = "esql"
35query = '''
36from logs-github.audit-* metadata _id, _index, _version
37| where
38 data_stream.dataset == "github.audit" and
39 github.category == "pull_request" and
40 event.type == "change" and
41 event.action == "pull_request.close"
42| stats
43 Esql.document_count = COUNT(*),
44 Esql.github_org_values = values(github.org),
45 Esql.github_repo_values = values(github.repo),
46 Esql.github_user_agent_values = values(github.user_agent),
47 Esql.github_pull_request_url_values = values(github.pull_request_url),
48 Esql.user_name_values = values(user.name),
49 Esql.agent_id_values = values(agent.id),
50 Esql.event_dataset_values = values(event.dataset),
51 Esql.data_stream_namespace_values = values(data_stream.namespace)
52
53 by user.name
54
55| keep Esql.*
56
57| where
58 Esql.document_count >= 10
59'''
60
61[[rule.threat]]
62framework = "MITRE ATT&CK"
63
64[[rule.threat.technique]]
65id = "T1485"
66name = "Data Destruction"
67reference = "https://attack.mitre.org/techniques/T1485/"
68
69[rule.threat.tactic]
70id = "TA0040"
71name = "Impact"
72reference = "https://attack.mitre.org/tactics/TA0040/"
73
74[[rule.threat]]
75framework = "MITRE ATT&CK"
76
77[[rule.threat.technique]]
78id = "T1020"
79name = "Automated Exfiltration"
80reference = "https://attack.mitre.org/techniques/T1020/"
81
82[[rule.threat.technique]]
83id = "T1567"
84name = "Exfiltration Over Web Service"
85reference = "https://attack.mitre.org/techniques/T1567/"
86
87[[rule.threat.technique.subtechnique]]
88id = "T1567.001"
89name = "Exfiltration to Code Repository"
90reference = "https://attack.mitre.org/techniques/T1567/001/"
91
92[rule.threat.tactic]
93id = "TA0010"
94name = "Exfiltration"
95reference = "https://attack.mitre.org/tactics/TA0010/"
References
-
Shai-Hulud is back, spreading an npm malware worm through thousands of GitHub repos. Learn the impact, attacker methods, and how to defend your supply chain.
Read More -
On November 25th, one of our engineers was compromised by the Shai-Hulud npm supply chain worm. Here's what happened, how we responded, and what we've changed.
Read More -
At 4:11 AM UTC on November 24th, a number of our SDKs and other packages were compromised, with a malicious self-replicating worm - Shai-Hulud 2.…
Read More
Related rules
- GitHub Private Repository Turned Public
- High Number of Protected Branch Force Pushes by User
- Several Failed Protected Branch Force Pushes by User
- GitHub Exfiltration via High Number of Repository Clones by User
- Github Activity on a Private Repository from an Unusual IP