GitHub Owner Role Granted To User
This rule detects when a member is granted the organization owner role of a GitHub organization. This role provides admin level privileges. Any new owner role should be investigated to determine its validity. Unauthorized owner roles could indicate compromise within your organization and provide unlimited access to data and settings.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/09/11"
3integration = ["github"]
4maturity = "production"
5updated_date = "2024/05/21"
6
7[rule]
8author = ["Elastic"]
9description = """
10This rule detects when a member is granted the organization owner role of a GitHub organization. This role provides
11admin level privileges. Any new owner role should be investigated to determine its validity. Unauthorized owner roles
12could indicate compromise within your organization and provide unlimited access to data and settings.
13"""
14from = "now-9m"
15index = ["logs-github.audit-*"]
16language = "eql"
17license = "Elastic License v2"
18name = "GitHub Owner Role Granted To User"
19risk_score = 47
20rule_id = "9b343b62-d173-4cfd-bd8b-e6379f964ca4"
21severity = "medium"
22tags = [
23 "Domain: Cloud",
24 "Use Case: Threat Detection",
25 "Use Case: UEBA",
26 "Tactic: Persistence",
27 "Data Source: Github",
28]
29timestamp_override = "event.ingested"
30type = "eql"
31
32query = '''
33iam where event.dataset == "github.audit" and event.action == "org.update_member" and github.permission == "admin"
34'''
35
36
37[[rule.threat]]
38framework = "MITRE ATT&CK"
39[[rule.threat.technique]]
40id = "T1098"
41name = "Account Manipulation"
42reference = "https://attack.mitre.org/techniques/T1098/"
43[[rule.threat.technique.subtechnique]]
44id = "T1098.003"
45name = "Additional Cloud Roles"
46reference = "https://attack.mitre.org/techniques/T1098/003/"
47
48
49
50[rule.threat.tactic]
51id = "TA0003"
52name = "Persistence"
53reference = "https://attack.mitre.org/tactics/TA0003/"
Related rules
- New GitHub Owner Added
- GitHub Repository Deleted
- GitHub UEBA - Multiple Alerts from a GitHub Account
- High Number of Cloned GitHub Repos From PAT
- GitHub App Deleted