GitHub Owner Role Granted To User

 1[metadata]
 2creation_date = "2023/09/11"
 3integration = ["github"]
 4maturity = "production"
 5updated_date = "2024/12/10"
 6min_stack_version = "8.13.0"
 7min_stack_comments = "Breaking change at 8.13.0 for the Github Integration."
 8
 9[rule]
10author = ["Elastic"]
11description = """
12This rule detects when a member is granted the organization owner role of a GitHub organization. This role provides
13admin level privileges. Any new owner role should be investigated to determine its validity. Unauthorized owner roles
14could indicate compromise within your organization and provide unlimited access to data and settings.
15"""
16from = "now-9m"
17index = ["logs-github.audit-*"]
18language = "eql"
19license = "Elastic License v2"
20name = "GitHub Owner Role Granted To User"
21risk_score = 47
22rule_id = "9b343b62-d173-4cfd-bd8b-e6379f964ca4"
23severity = "medium"
24tags = [
25    "Domain: Cloud",
26    "Use Case: Threat Detection",
27    "Use Case: UEBA",
28    "Tactic: Persistence",
29    "Data Source: Github",
30]
31timestamp_override = "event.ingested"
32type = "eql"
33
34query = '''
35iam where event.dataset == "github.audit" and event.action == "org.update_member" and github.permission == "admin"
36'''
37
38
39[[rule.threat]]
40framework = "MITRE ATT&CK"
41[[rule.threat.technique]]
42id = "T1098"
43name = "Account Manipulation"
44reference = "https://attack.mitre.org/techniques/T1098/"
45[[rule.threat.technique.subtechnique]]
46id = "T1098.003"
47name = "Additional Cloud Roles"
48reference = "https://attack.mitre.org/techniques/T1098/003/"
49
50
51
52[rule.threat.tactic]
53id = "TA0003"
54name = "Persistence"
55reference = "https://attack.mitre.org/tactics/TA0003/"