New GitHub Owner Added

Detects when a new member is added to a GitHub organization as an owner. This role provides admin level privileges. Any new owner roles should be investigated to determine it's validity. Unauthorized owner roles could indicate compromise within your organization and provide unlimited access to data and settings.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2023/09/11"
 3integration = ["github"]
 4maturity = "production"
 5updated_date = "2025/01/15"
 6min_stack_version = "8.13.0"
 7min_stack_comments = "Breaking change at 8.13.0 for the Github Integration."
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Detects when a new member is added to a GitHub organization as an owner. This role provides admin level privileges. Any
13new owner roles should be investigated to determine it's validity. Unauthorized owner roles could indicate compromise
14within your organization and provide unlimited access to data and settings.
15"""
16from = "now-9m"
17index = ["logs-github.audit-*"]
18language = "eql"
19license = "Elastic License v2"
20name = "New GitHub Owner Added"
21risk_score = 47
22rule_id = "24401eca-ad0b-4ff9-9431-487a8e183af9"
23severity = "medium"
24tags = [
25    "Domain: Cloud",
26    "Use Case: Threat Detection",
27    "Use Case: UEBA",
28    "Tactic: Persistence",
29    "Data Source: Github",
30    "Resources: Investigation Guide",
31]
32timestamp_override = "event.ingested"
33type = "eql"
34
35query = '''
36iam where event.dataset == "github.audit" and event.action == "org.add_member" and github.permission == "admin"
37'''
38note = """## Triage and analysis
39
40> **Disclaimer**:
41> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
42
43### Investigating New GitHub Owner Added
44
45GitHub organizations allow collaborative management of repositories, where the 'owner' role grants full administrative control. Adversaries may exploit this by adding unauthorized owners, gaining unrestricted access to sensitive data and settings. The detection rule monitors audit logs for new admin-level additions, flagging potential unauthorized access attempts for further investigation.
46
47### Possible investigation steps
48
49- Review the GitHub audit logs to identify the specific user account that was added as an owner, focusing on the event.action "org.add_member" and github.permission "admin".
50- Verify the identity and role of the newly added owner by cross-referencing with internal HR or user management systems to confirm if the addition was authorized.
51- Check the activity history of the newly added owner account for any suspicious actions or changes made to repositories or settings since their addition.
52- Contact the individual or team responsible for managing GitHub organization permissions to confirm if they were aware of and approved the new owner addition.
53- Investigate any recent changes in the organization's membership or access policies that might explain the addition of a new owner.
54- Assess the potential impact of the new owner's access by reviewing the repositories and sensitive data they now have administrative control over.
55
56### False positive analysis
57
58- Legitimate organizational changes: New owners may be added during legitimate restructuring or team expansions. Regularly review and document organizational changes to differentiate between authorized and unauthorized additions.
59- Automated processes: Some organizations use automated scripts or tools to manage GitHub permissions, which might trigger this rule. Identify and whitelist these processes to prevent unnecessary alerts.
60- Temporary access requirements: Occasionally, temporary owner access might be granted for specific projects or tasks. Implement a process to track and review these temporary changes, ensuring they are reverted once the task is completed.
61- Onboarding of new senior staff: When new senior staff members join, they might be added as owners. Establish a clear onboarding process that includes notifying the security team to avoid false positives.
62- Cross-functional team collaborations: In some cases, cross-functional teams may require owner-level access for collaboration. Maintain a list of such collaborations and review them periodically to ensure they remain necessary and authorized.
63
64### Response and remediation
65
66- Immediately revoke the admin privileges of the newly added GitHub owner to prevent further unauthorized access.
67- Conduct a thorough review of recent changes and activities performed by the unauthorized owner to identify any potential data breaches or malicious actions.
68- Notify the security team and relevant stakeholders about the incident to ensure awareness and coordinated response efforts.
69- Reset credentials and enforce multi-factor authentication for all existing GitHub organization owners to enhance security.
70- Review and update access control policies to ensure that owner roles are granted only to verified and necessary personnel.
71- Implement additional monitoring and alerting for any future changes to GitHub organization roles to detect similar threats promptly.
72- If evidence of compromise is found, consider engaging with a digital forensics team to assess the full impact and scope of the breach."""
73
74
75[[rule.threat]]
76framework = "MITRE ATT&CK"
77[[rule.threat.technique]]
78id = "T1136"
79name = "Create Account"
80reference = "https://attack.mitre.org/techniques/T1136/"
81[[rule.threat.technique.subtechnique]]
82id = "T1136.003"
83name = "Cloud Account"
84reference = "https://attack.mitre.org/techniques/T1136/003/"
85
86
87
88[rule.threat.tactic]
89id = "TA0003"
90name = "Persistence"
91reference = "https://attack.mitre.org/tactics/TA0003/"
...
toml

Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.

GitHub organizations allow collaborative management of repositories, where the 'owner' role grants full administrative control. Adversaries may exploit this by adding unauthorized owners, gaining unrestricted access to sensitive data and settings. The detection rule monitors audit logs for new admin-level additions, flagging potential unauthorized access attempts for further investigation.

  • Review the GitHub audit logs to identify the specific user account that was added as an owner, focusing on the event.action "org.add_member" and github.permission "admin".
  • Verify the identity and role of the newly added owner by cross-referencing with internal HR or user management systems to confirm if the addition was authorized.
  • Check the activity history of the newly added owner account for any suspicious actions or changes made to repositories or settings since their addition.
  • Contact the individual or team responsible for managing GitHub organization permissions to confirm if they were aware of and approved the new owner addition.
  • Investigate any recent changes in the organization's membership or access policies that might explain the addition of a new owner.
  • Assess the potential impact of the new owner's access by reviewing the repositories and sensitive data they now have administrative control over.
  • Legitimate organizational changes: New owners may be added during legitimate restructuring or team expansions. Regularly review and document organizational changes to differentiate between authorized and unauthorized additions.
  • Automated processes: Some organizations use automated scripts or tools to manage GitHub permissions, which might trigger this rule. Identify and whitelist these processes to prevent unnecessary alerts.
  • Temporary access requirements: Occasionally, temporary owner access might be granted for specific projects or tasks. Implement a process to track and review these temporary changes, ensuring they are reverted once the task is completed.
  • Onboarding of new senior staff: When new senior staff members join, they might be added as owners. Establish a clear onboarding process that includes notifying the security team to avoid false positives.
  • Cross-functional team collaborations: In some cases, cross-functional teams may require owner-level access for collaboration. Maintain a list of such collaborations and review them periodically to ensure they remain necessary and authorized.
  • Immediately revoke the admin privileges of the newly added GitHub owner to prevent further unauthorized access.
  • Conduct a thorough review of recent changes and activities performed by the unauthorized owner to identify any potential data breaches or malicious actions.
  • Notify the security team and relevant stakeholders about the incident to ensure awareness and coordinated response efforts.
  • Reset credentials and enforce multi-factor authentication for all existing GitHub organization owners to enhance security.
  • Review and update access control policies to ensure that owner roles are granted only to verified and necessary personnel.
  • Implement additional monitoring and alerting for any future changes to GitHub organization roles to detect similar threats promptly.
  • If evidence of compromise is found, consider engaging with a digital forensics team to assess the full impact and scope of the breach.

Related rules

to-top