GitHub Owner Role Granted To User

 1[metadata]
 2creation_date = "2023/09/11"
 3integration = ["github"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7updated_date = "2023/12/14"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12This rule detects when a member is granted the organization owner role of a GitHub organization. 
13This role provides admin level privileges. Any new owner role should be investigated to determine its validity. 
14Unauthorized owner roles could indicate compromise within your organization and provide unlimited access to data and settings.
15"""
16from = "now-9m"
17index = ["logs-github.audit-*"]
18language = "eql"
19license = "Elastic License v2"
20name = "GitHub Owner Role Granted To User"
21risk_score = 47
22rule_id = "9b343b62-d173-4cfd-bd8b-e6379f964ca4"
23severity = "medium"
24tags = ["Domain: Cloud", 
25        "Use Case: Threat Detection",
26        "Use Case: UEBA",        
27        "Tactic: Persistence", 
28        "Data Source: Github"
29        ]
30timestamp_override = "event.ingested"
31type = "eql"
32query = '''
33iam where event.dataset == "github.audit" and event.action == "org.update_member" and github.permission == "admin"
34'''
35
36[[rule.threat]]
37framework = "MITRE ATT&CK"
38[[rule.threat.technique]]
39id = "T1098"
40name = "Account Manipulation"
41reference = "https://attack.mitre.org/techniques/T1098/"
42[[rule.threat.technique.subtechnique]]
43id = "T1098.003"
44name = "Additional Cloud Roles"
45reference = "https://attack.mitre.org/techniques/T1098/003/"
46
47
48[rule.threat.tactic]
49id = "TA0003"
50name = "Persistence"
51reference = "https://attack.mitre.org/tactics/TA0003/"