From 3ffb607d80eca09c73d227327dff3c5b5bd56053 Mon Sep 17 00:00:00 2001 From: protections machine <72879786+protectionsmachine@users.noreply.github.com> Date: Thu, 28 Nov 2024 04:24:44 +1100 Subject: [PATCH] Update latest docs (#6255) --- ...t-by-rare-user-and-member-account.asciidoc | 157 ++++++++++++++++++ .../prebuilt-rules-8-13-23-appendix.asciidoc | 7 + .../prebuilt-rules-8-13-23-summary.asciidoc | 14 ++ ...ebuilt-rules-downloadable-updates.asciidoc | 5 + .../prebuilt-rules-reference.asciidoc | 44 ++--- .../prebuilt-rules/rule-desc-index.asciidoc | 1 + ...t-by-rare-user-and-member-account.asciidoc | 157 ++++++++++++++++++ ...t-for-a-personal-access-token-pat.asciidoc | 2 +- ...ub-repo-interaction-from-a-new-ip.asciidoc | 2 +- ...ser-interaction-with-private-repo.asciidoc | 2 +- ...-github-personal-access-token-pat.asciidoc | 2 +- ...nce-of-ip-address-for-github-user.asciidoc | 2 +- ...s-token-pat-use-for-a-github-user.asciidoc | 2 +- ...-github-personal-access-token-pat.asciidoc | 2 +- ...-github-personal-access-token-pat.asciidoc | 2 +- ...e-of-user-agent-for-a-github-user.asciidoc | 2 +- .../rule-details/github-app-deleted.asciidoc | 2 +- ...github-owner-role-granted-to-user.asciidoc | 2 +- .../github-pat-access-revoked.asciidoc | 2 +- ...protected-branch-settings-changed.asciidoc | 2 +- .../rule-details/github-repo-created.asciidoc | 2 +- .../github-repository-deleted.asciidoc | 2 +- ...ub-user-blocked-from-organization.asciidoc | 2 +- ...r-of-cloned-github-repos-from-pat.asciidoc | 2 +- ...-removed-from-github-organization.asciidoc | 2 +- .../new-github-app-installed.asciidoc | 2 +- .../new-github-owner-added.asciidoc | 2 +- ...user-added-to-github-organization.asciidoc | 2 +- docs/index.asciidoc | 2 + 29 files changed, 387 insertions(+), 42 deletions(-) create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-13-23/prebuilt-rule-8-13-23-aws-sts-assumeroot-by-rare-user-and-member-account.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-13-23/prebuilt-rules-8-13-23-appendix.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-13-23/prebuilt-rules-8-13-23-summary.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/aws-sts-assumeroot-by-rare-user-and-member-account.asciidoc diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-13-23/prebuilt-rule-8-13-23-aws-sts-assumeroot-by-rare-user-and-member-account.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-13-23/prebuilt-rule-8-13-23-aws-sts-assumeroot-by-rare-user-and-member-account.asciidoc new file mode 100644 index 0000000000..8a6104f180 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-13-23/prebuilt-rule-8-13-23-aws-sts-assumeroot-by-rare-user-and-member-account.asciidoc @@ -0,0 +1,157 @@ +[[prebuilt-rule-8-13-23-aws-sts-assumeroot-by-rare-user-and-member-account]] +=== AWS STS AssumeRoot by Rare User and Member Account + +Identifies when the STS `AssumeRoot` action is performed by a rare user in AWS. The AssumeRoot action allows users to assume the root member account role, granting elevated but specific permissions based on the task policy specified. Adversaries whom may have compromised user credentials, such as access and secret keys, can use this technique to escalate privileges and gain unauthorized access to AWS resources. This is a [New Terms](https://www.elastic.co/guide/en/security/current/rules-ui-create.html#create-new-terms-rule) rule that identifies when the STS `AssumeRoot` action is performed by a user that rarely assumes this role and specific member account. + +*Rule type*: new_terms + +*Rule indices*: + +* filebeat-* +* logs-aws.cloudtrail-* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoot.html + +*Tags*: + +* Domain: Cloud +* Data Source: AWS +* Data Source: Amazon Web Services +* Data Source: AWS STS +* Resources: Investigation Guide +* Use Case: Identity and Access Audit +* Tactic: Privilege Escalation + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and Analysis* + + + +*Investigating AWS STS AssumeRoot by Rare User and Member Account* + + +This rule identifies instances where AWS STS (Security Token Service) is used to assume a root role, granting temporary credentials for AWS resource access. While this action is often legitimate, it can be exploited by adversaries to obtain unauthorized access, escalate privileges, or move laterally within an AWS environment. + + +*Possible Investigation Steps* + + +- **Identify the Actor and Assumed Role**: + - **User Identity**: Review the `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.type` fields to determine who initiated the `AssumeRoot` action. + - **Account Context**: Check the `aws.cloudtrail.recipient_account_id` field for the account affected by the action. This is likely the management account. + - **Authentication**: If available, review the `aws.cloudtrail.user_identity.access_key_id` to identify the access key used for the action. This key may be compromised in the case of unauthorized activity. + - **Resources**: Inspect `aws.cloudtrail.resources.type` and `aws.cloudtrail.resources.arn` to determine the resource or role assumed. This is the member account where the root role was assumed. + +- **Analyze Request Parameters**: + - **Session Details**: Check `aws.cloudtrail.flattened.request_parameters.durationSeconds` for session duration. + - **Permissions**: Review `aws.cloudtrail.flattened.request_parameters.taskPolicyArn` for the associated policy. These policies are predefined and grant specific permissions to the assumed root account. + - **Target Entity**: Inspect the `aws.cloudtrail.flattened.request_parameters.targetPrincipal` field for the entity being accessed. This is typically the member account. + - **Target Policy**: Inspect the `aws.cloudtrail.flattened.request_parameters.targetPolicyArn` field for the policy applied to temporary root credentials. This can help determine the scope of the permissions granted. + +- **Examine Response Details**: + - **Credentials Issued**: Review `aws.cloudtrail.flattened.response_elements.credentials` to confirm credentials were issued and note their expiration (`expiration` field). The temporary access key can be used to pivot into other actions done by the assumed root account by searching for the value in `aws.cloudtrail.user_identity.access_key_id`. + +- **Inspect Source Details**: + - **Source IP and Location**: Evaluate `source.address` and `source.geo` fields to confirm the request's origin. Unusual locations might indicate unauthorized activity. + - **User Agent**: Analyze `user_agent.original` to determine the tool or application used (e.g., AWS CLI, SDK, or custom tooling). + +- **Correlate with Related Events**: + - **Concurrent Events**: Look for surrounding CloudTrail events that indicate follow-up actions, such as access to sensitive resources or privilege escalation attempts. + - **Historical Activity**: Review historical activity for the `aws.cloudtrail.user_identity.arn` to determine if this action is anomalous. + +- **Evaluate Privilege Escalation Risk**: + - **Role Privileges**: Inspect the privileges granted by the assumed role or task policy (`aws.cloudtrail.flattened.request_parameters.taskPolicyArn`). + - **Operational Context**: Confirm whether the action aligns with routine operations or is unusual. + + +*False Positive Analysis* + + +- **Authorized Administrative Activity**: + - Verify if the activity was initiated by an AWS administrator for legitimate purposes. +- **Automated Workflows**: + - Identify if the action was part of an automated process or workflow. + + +*Response and Remediation* + + +1. **Revoke Unauthorized Credentials**: + - If malicious activity is identified, immediately revoke the session tokens and access keys associated with the `AssumeRoot` action. + - It may be worth removing the compromised access key from the affected user or service account. +2. **Enhance Monitoring**: + - Increase the monitoring frequency for sensitive roles and actions, especially `AssumeRoot`. +3. **Review IAM Policies**: + - Limit permissions for accounts or roles to assume root and enforce multi-factor authentication (MFA) where applicable. +4. **Contain and Investigate**: + - Isolate affected accounts or roles and follow incident response procedures to determine the scope and impact of the activity. + + +*Additional Information* + + +For more information on AssumeRoot, refer to the https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoot.html[AWS STS documentation]. + + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset: "aws.cloudtrail" + and event.provider: "sts.amazonaws.com" + and event.action: "AssumeRoot" + and event.outcome: "success" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Abuse Elevation Control Mechanism +** ID: T1548 +** Reference URL: https://attack.mitre.org/techniques/T1548/ +* Sub-technique: +** Name: Temporary Elevated Cloud Access +** ID: T1548.005 +** Reference URL: https://attack.mitre.org/techniques/T1548/005/ +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Account Manipulation +** ID: T1098 +** Reference URL: https://attack.mitre.org/techniques/T1098/ +* Sub-technique: +** Name: Additional Cloud Roles +** ID: T1098.003 +** Reference URL: https://attack.mitre.org/techniques/T1098/003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-13-23/prebuilt-rules-8-13-23-appendix.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-13-23/prebuilt-rules-8-13-23-appendix.asciidoc new file mode 100644 index 0000000000..f81bfbec5d --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-13-23/prebuilt-rules-8-13-23-appendix.asciidoc @@ -0,0 +1,7 @@ +["appendix",role="exclude",id="prebuilt-rule-8-13-23-prebuilt-rules-8-13-23-appendix"] += Downloadable rule update v8.13.23 + +This section lists all updates associated with version 8.13.23 of the Fleet integration *Prebuilt Security Detection Rules*. + + +include::prebuilt-rule-8-13-23-aws-sts-assumeroot-by-rare-user-and-member-account.asciidoc[] diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-13-23/prebuilt-rules-8-13-23-summary.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-13-23/prebuilt-rules-8-13-23-summary.asciidoc new file mode 100644 index 0000000000..b1261db72d --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-13-23/prebuilt-rules-8-13-23-summary.asciidoc @@ -0,0 +1,14 @@ +[[prebuilt-rule-8-13-23-prebuilt-rules-8-13-23-summary]] +[role="xpack"] +== Update v8.13.23 + +This section lists all updates associated with version 8.13.23 of the Fleet integration *Prebuilt Security Detection Rules*. + + +[width="100%",options="header"] +|============================================== +|Rule |Description |Status |Version + +|<> | Identifies when the STS `AssumeRoot` action is performed by a rare user in AWS. The AssumeRoot action allows users to assume the root member account role, granting elevated but specific permissions based on the task policy specified. Adversaries whom may have compromised user credentials, such as access and secret keys, can use this technique to escalate privileges and gain unauthorized access to AWS resources. This is a [New Terms](https://www.elastic.co/guide/en/security/current/rules-ui-create.html#create-new-terms-rule) rule that identifies when the STS `AssumeRoot` action is performed by a user that rarely assumes this role and specific member account. | new | 1 + +|============================================== diff --git a/docs/detections/prebuilt-rules/prebuilt-rules-downloadable-updates.asciidoc b/docs/detections/prebuilt-rules/prebuilt-rules-downloadable-updates.asciidoc index 74418e14cf..fa5d99a28d 100644 --- a/docs/detections/prebuilt-rules/prebuilt-rules-downloadable-updates.asciidoc +++ b/docs/detections/prebuilt-rules/prebuilt-rules-downloadable-updates.asciidoc @@ -13,6 +13,10 @@ For previous rule updates, please navigate to the https://www.elastic.co/guide/e |Update version |Date | New rules | Updated rules | Notes +|<> | 27 Nov 2024 | 1 | 0 | +This release includes a new rule for AWS integration privilege escalation detection. + + |<> | 11 Nov 2024 | 20 | 22 | This release includes new rules for Windows, Linux, AWS, and Azure integration. New rules for Windows include detection for initial access. New rules for Linux include detection for defense evasion, command and control, impact, discovery, execution and exfiltration. New rules for AWS include detection for privilege escalation, exfiltration, execution, discovery and persistence. New rules for Azure include detection for credential access. Additionally, significant rule tuning for Windows and AWS rules has been added for better rule efficacy and performance. @@ -139,3 +143,4 @@ include::downloadable-packages/8-13-19/prebuilt-rules-8-13-19-summary.asciidoc[l include::downloadable-packages/8-13-20/prebuilt-rules-8-13-20-summary.asciidoc[leveloffset=+1] include::downloadable-packages/8-13-21/prebuilt-rules-8-13-21-summary.asciidoc[leveloffset=+1] include::downloadable-packages/8-13-22/prebuilt-rules-8-13-22-summary.asciidoc[leveloffset=+1] +include::downloadable-packages/8-13-23/prebuilt-rules-8-13-23-summary.asciidoc[leveloffset=+1] diff --git a/docs/detections/prebuilt-rules/prebuilt-rules-reference.asciidoc b/docs/detections/prebuilt-rules/prebuilt-rules-reference.asciidoc index 69c2a19796..c599a3de33 100644 --- a/docs/detections/prebuilt-rules/prebuilt-rules-reference.asciidoc +++ b/docs/detections/prebuilt-rules/prebuilt-rules-reference.asciidoc @@ -204,6 +204,8 @@ and their rule type is `machine_learning`. |<> |Identifies when a user has assumed a role using a new MFA device. Users can assume a role to obtain temporary credentials and access AWS resources using the AssumeRole API of AWS Security Token Service (STS). While a new MFA device is not always indicative of malicious behavior it should be verified as adversaries can use this technique for persistence and privilege escalation. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Data Source: AWS STS], [Use Case: Identity and Access Audit], [Tactic: Privilege Escalation], [Tactic: Persistence], [Tactic: Lateral Movement] |None |1 +|<> |Identifies when the STS `AssumeRoot` action is performed by a rare user in AWS. The AssumeRoot action allows users to assume the root member account role, granting elevated but specific permissions based on the task policy specified. Adversaries whom may have compromised user credentials, such as access and secret keys, can use this technique to escalate privileges and gain unauthorized access to AWS resources. This is a [New Terms](https://www.elastic.co/guide/en/security/current/rules-ui-create.html#create-new-terms-rule) rule that identifies when the STS `AssumeRoot` action is performed by a user that rarely assumes this role and specific member account. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Data Source: AWS STS], [Resources: Investigation Guide], [Use Case: Identity and Access Audit], [Tactic: Privilege Escalation] |None |1 + |<> |An adversary with access to a set of compromised credentials may attempt to verify that the credentials are valid and determine what account they are using. This rule looks for the first time an identity has called the STS `GetCallerIdentity` API operation in the last 15 days, which may be an indicator of compromised credentials. A legitimate user would not need to call this operation as they should know the account they are using. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Data Source: AWS STS], [Use Case: Identity and Access Audit], [Tactic: Discovery], [Resources: Investigation Guide] |None |3 |<> |Identifies the suspicious use of GetSessionToken. Tokens could be created and used by attackers to move laterally and escalate privileges. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Data Source: AWS STS], [Use Case: Identity and Access Audit], [Tactic: Privilege Escalation] |None |206 @@ -712,29 +714,29 @@ and their rule type is `machine_learning`. |<> |Finder Sync plugins enable users to extend Finder’s functionality by modifying the user interface. Adversaries may abuse this feature by adding a rogue Finder Plugin to repeatedly execute malicious payloads for persistence. |[Domain: Endpoint], [OS: macOS], [Use Case: Threat Detection], [Tactic: Persistence], [Data Source: Elastic Defend] |None |206 -|<> |Detects a first occurrence event for a personal access token (PAT) not seen in the last 14 days. |[Domain: Cloud], [Use Case: Threat Detection], [Use Case: UEBA], [Tactic: Execution], [Rule Type: BBR], [Data Source: Github] |None |2 +|<> |Detects a first occurrence event for a personal access token (PAT) not seen in the last 14 days. |[Domain: Cloud], [Use Case: Threat Detection], [Use Case: UEBA], [Tactic: Execution], [Rule Type: BBR], [Data Source: Github] |8.12.0 |103 |<> |Identifies when a user is observed for the first time in the last 14 days authenticating using the deviceCode protocol. The device code authentication flow can be abused by attackers to phish users and steal access tokens to impersonate the victim. By its very nature, device code should only be used when logging in to devices without keyboards, where it is difficult to enter emails and passwords. |[Domain: Cloud], [Data Source: Azure], [Data Source: Microsoft Entra ID], [Use Case: Identity and Access Audit], [Tactic: Credential Access] |None |1 -|<> |Detects an interaction with a private GitHub repository from a new IP address not seen in the last 14 days. |[Domain: Cloud], [Use Case: Threat Detection], [Use Case: UEBA], [Tactic: Execution], [Rule Type: BBR], [Data Source: Github] |None |2 +|<> |Detects an interaction with a private GitHub repository from a new IP address not seen in the last 14 days. |[Domain: Cloud], [Use Case: Threat Detection], [Use Case: UEBA], [Tactic: Execution], [Rule Type: BBR], [Data Source: Github] |8.12.0 |103 -|<> |Detects a new private repo interaction for a GitHub user not seen in the last 14 days. |[Domain: Cloud], [Use Case: Threat Detection], [Use Case: UEBA], [Tactic: Execution], [Rule Type: BBR], [Data Source: Github] |None |2 +|<> |Detects a new private repo interaction for a GitHub user not seen in the last 14 days. |[Domain: Cloud], [Use Case: Threat Detection], [Use Case: UEBA], [Tactic: Execution], [Rule Type: BBR], [Data Source: Github] |8.12.0 |103 -|<> |Detects a new IP address used for a GitHub PAT not previously seen in the last 14 days. |[Domain: Cloud], [Use Case: Threat Detection], [Use Case: UEBA], [Tactic: Initial Access], [Rule Type: BBR], [Data Source: Github] |None |2 +|<> |Detects a new IP address used for a GitHub PAT not previously seen in the last 14 days. |[Domain: Cloud], [Use Case: Threat Detection], [Use Case: UEBA], [Tactic: Initial Access], [Rule Type: BBR], [Data Source: Github] |8.12.0 |103 -|<> |Detects a new IP address used for a GitHub user not previously seen in the last 14 days. |[Domain: Cloud], [Use Case: Threat Detection], [Use Case: UEBA], [Tactic: Initial Access], [Rule Type: BBR], [Data Source: Github] |None |2 +|<> |Detects a new IP address used for a GitHub user not previously seen in the last 14 days. |[Domain: Cloud], [Use Case: Threat Detection], [Use Case: UEBA], [Tactic: Initial Access], [Rule Type: BBR], [Data Source: Github] |8.12.0 |103 |<> |Identifies the first occurrence of an Okta user session started via a proxy. |[Tactic: Initial Access], [Use Case: Identity and Access Audit], [Data Source: Okta] |None |4 -|<> |A new PAT was used for a GitHub user not previously seen in the last 14 days. |[Domain: Cloud], [Use Case: Threat Detection], [Use Case: UEBA], [Tactic: Persistence], [Rule Type: BBR], [Data Source: Github] |None |2 +|<> |A new PAT was used for a GitHub user not previously seen in the last 14 days. |[Domain: Cloud], [Use Case: Threat Detection], [Use Case: UEBA], [Tactic: Persistence], [Rule Type: BBR], [Data Source: Github] |8.12.0 |103 -|<> |Detects a new private repo interaction for a GitHub PAT not seen in the last 14 days. |[Domain: Cloud], [Use Case: Threat Detection], [Use Case: UEBA], [Tactic: Execution], [Rule Type: BBR], [Data Source: Github] |None |2 +|<> |Detects a new private repo interaction for a GitHub PAT not seen in the last 14 days. |[Domain: Cloud], [Use Case: Threat Detection], [Use Case: UEBA], [Tactic: Execution], [Rule Type: BBR], [Data Source: Github] |8.12.0 |103 |<> |Identifies the first occurrence of an AWS Security Token Service (STS) `GetFederationToken` request made by a user within the last 10 days. The `GetFederationToken` API call allows users to request temporary security credentials to access AWS resources. Adversaries may use this API to obtain temporary credentials to access resources they would not normally have access to. |[Domain: Cloud], [Data Source: Amazon Web Services], [Data Source: AWS], [Data Source: AWS STS], [Use Case: Threat Detection], [Tactic: Defense Evasion] |None |1 -|<> |Detects a new user agent used for a GitHub PAT not previously seen in the last 14 days. |[Domain: Cloud], [Use Case: Threat Detection], [Use Case: UEBA], [Tactic: Initial Access], [Rule Type: BBR], [Data Source: Github] |None |2 +|<> |Detects a new user agent used for a GitHub PAT not previously seen in the last 14 days. |[Domain: Cloud], [Use Case: Threat Detection], [Use Case: UEBA], [Tactic: Initial Access], [Rule Type: BBR], [Data Source: Github] |8.12.0 |103 -|<> |Detects a new user agent used for a GitHub user not previously seen in the last 14 days. |[Domain: Cloud], [Use Case: Threat Detection], [Use Case: UEBA], [Tactic: Initial Access], [Rule Type: BBR], [Data Source: Github] |None |2 +|<> |Detects a new user agent used for a GitHub user not previously seen in the last 14 days. |[Domain: Cloud], [Use Case: Threat Detection], [Use Case: UEBA], [Tactic: Initial Access], [Rule Type: BBR], [Data Source: Github] |8.12.0 |103 |<> |This rule detects the first time a principal calls AWS Cloudwatch `CreateStack` or `CreateStackSet` API. Cloudformation is used to create a single collection of cloud resources called a stack, via a defined template file. An attacker with the appropriate privileges could leverage Cloudformation to create specific resources needed to further exploit the environment. This is a new terms rule that looks for the first instance of this behavior in the last 10 days for a role or IAM user within a particular account. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Data Source: Cloudformation], [Use Case: Asset Visibility], [Tactic: Execution] |None |1 @@ -810,21 +812,21 @@ and their rule type is `machine_learning`. |<> |This rule detects a suspicious egress network connection attempt from a Git hook script. Git hooks are scripts that Git executes before or after events such as: commit, push, and receive. An attacker can abuse these features to execute arbitrary commands on the system, establish persistence or to initialize a network connection to a remote server and exfiltrate data or download additional payloads. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Persistence], [Tactic: Execution], [Tactic: Defense Evasion], [Data Source: Elastic Defend] |None |2 -|<> |Detects the deletion of a GitHub app either from a repo or an organization. |[Domain: Cloud], [Use Case: Threat Detection], [Tactic: Execution], [Data Source: Github] |None |2 +|<> |Detects the deletion of a GitHub app either from a repo or an organization. |[Domain: Cloud], [Use Case: Threat Detection], [Tactic: Execution], [Data Source: Github] |8.12.0 |103 -|<> |This rule detects when a member is granted the organization owner role of a GitHub organization. This role provides admin level privileges. Any new owner role should be investigated to determine its validity. Unauthorized owner roles could indicate compromise within your organization and provide unlimited access to data and settings. |[Domain: Cloud], [Use Case: Threat Detection], [Use Case: UEBA], [Tactic: Persistence], [Data Source: Github] |None |4 +|<> |This rule detects when a member is granted the organization owner role of a GitHub organization. This role provides admin level privileges. Any new owner role should be investigated to determine its validity. Unauthorized owner roles could indicate compromise within your organization and provide unlimited access to data and settings. |[Domain: Cloud], [Use Case: Threat Detection], [Use Case: UEBA], [Tactic: Persistence], [Data Source: Github] |8.12.0 |105 -|<> |Access to private GitHub organization resources was revoked for a PAT. |[Domain: Cloud], [Use Case: Threat Detection], [Use Case: UEBA], [Tactic: Impact], [Rule Type: BBR], [Data Source: Github] |None |2 +|<> |Access to private GitHub organization resources was revoked for a PAT. |[Domain: Cloud], [Use Case: Threat Detection], [Use Case: UEBA], [Tactic: Impact], [Rule Type: BBR], [Data Source: Github] |8.12.0 |103 -|<> |This rule detects setting modifications for protected branches of a GitHub repository. Branch protection rules can be used to enforce certain workflows or requirements before a contributor can push changes to a branch in your repository. Changes to these protected branch settings should be investigated and verified as legitimate activity. Unauthorized changes could be used to lower your organization's security posture and leave you exposed for future attacks. |[Domain: Cloud], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Github] |None |4 +|<> |This rule detects setting modifications for protected branches of a GitHub repository. Branch protection rules can be used to enforce certain workflows or requirements before a contributor can push changes to a branch in your repository. Changes to these protected branch settings should be investigated and verified as legitimate activity. Unauthorized changes could be used to lower your organization's security posture and leave you exposed for future attacks. |[Domain: Cloud], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Github] |8.12.0 |105 -|<> |A new GitHub repository was created. |[Domain: Cloud], [Use Case: Threat Detection], [Use Case: UEBA], [Tactic: Execution], [Rule Type: BBR], [Data Source: Github] |None |2 +|<> |A new GitHub repository was created. |[Domain: Cloud], [Use Case: Threat Detection], [Use Case: UEBA], [Tactic: Execution], [Rule Type: BBR], [Data Source: Github] |8.12.0 |103 -|<> |This rule detects when a GitHub repository is deleted within your organization. Repositories are a critical component used within an organization to manage work, collaborate with others and release products to the public. Any delete action against a repository should be investigated to determine it's validity. Unauthorized deletion of organization repositories could cause irreversible loss of intellectual property and indicate compromise within your organization. |[Domain: Cloud], [Use Case: Threat Detection], [Use Case: UEBA], [Tactic: Impact], [Data Source: Github] |None |2 +|<> |This rule detects when a GitHub repository is deleted within your organization. Repositories are a critical component used within an organization to manage work, collaborate with others and release products to the public. Any delete action against a repository should be investigated to determine it's validity. Unauthorized deletion of organization repositories could cause irreversible loss of intellectual property and indicate compromise within your organization. |[Domain: Cloud], [Use Case: Threat Detection], [Use Case: UEBA], [Tactic: Impact], [Data Source: Github] |8.12.0 |102 |<> |This rule is part of the "GitHub UEBA - Unusual Activity from Account Pack", and leverages alert data to determine when multiple alerts are executed by the same user in a timespan of one hour. Analysts can use this to prioritize triage and response, as these alerts are a higher indicator of compromised user accounts or PATs. |[Domain: Cloud], [Use Case: Threat Detection], [Use Case: UEBA], [Tactic: Execution], [Rule Type: Higher-Order Rule], [Data Source: Github] |None |1 -|<> |A GitHub user was blocked from access to an organization. |[Domain: Cloud], [Use Case: Threat Detection], [Use Case: UEBA], [Tactic: Impact], [Rule Type: BBR], [Data Source: Github] |None |2 +|<> |A GitHub user was blocked from access to an organization. |[Domain: Cloud], [Use Case: Threat Detection], [Use Case: UEBA], [Tactic: Impact], [Rule Type: BBR], [Data Source: Github] |8.12.0 |103 |<> |Drive and Docs is a Google Workspace service that allows users to leverage Google Drive and Google Docs. Access to files is based on inherited permissions from the child organizational unit the user belongs to which is scoped by administrators. Typically if a user is removed, their files can be transferred to another user by the administrator. This service can also be abused by adversaries to transfer files to an adversary account for potential exfiltration. |[Domain: Cloud], [Data Source: Google Workspace], [Tactic: Collection], [Resources: Investigation Guide] |None |107 @@ -872,7 +874,7 @@ and their rule type is `machine_learning`. |<> |A machine learning job has detected unusually high mean of RDP session duration. Long RDP sessions can be used to evade detection mechanisms via session persistence, and might be used to perform tasks such as lateral movement, that might require uninterrupted access to a compromised machine. |[Use Case: Lateral Movement Detection], [Rule Type: ML], [Rule Type: Machine Learning], [Tactic: Lateral Movement] |None |4 -|<> |Detects a high number of unique private repo clone events originating from a single personal access token within a short time period. |[Domain: Cloud], [Use Case: Threat Detection], [Use Case: UEBA], [Tactic: Execution], [Data Source: Github] |None |2 +|<> |Detects a high number of unique private repo clone events originating from a single personal access token within a short time period. |[Domain: Cloud], [Use Case: Threat Detection], [Use Case: UEBA], [Tactic: Execution], [Data Source: Github] |8.12.0 |103 |<> |Detects when an Okta client address has a certain threshold of Okta user authentication events with multiple device token hashes generated for single user authentication. Adversaries may attempt to launch a credential stuffing or password spraying attack from the same device by using a list of known usernames and passwords to gain unauthorized access to user accounts. |[Use Case: Identity and Access Audit], [Data Source: Okta], [Tactic: Credential Access] |8.13.0 |3 @@ -1040,7 +1042,7 @@ and their rule type is `machine_learning`. |<> |This rules identifies a process created from an executable with a space appended to the end of the filename. This may indicate an attempt to masquerade a malicious file as benign to gain user execution. When a space is added to the end of certain files, the OS will execute the file according to it's true filetype instead of it's extension. Adversaries can hide a program's true filetype by changing the extension of the file. They can then add a space to the end of the name so that the OS automatically executes the file when it's double-clicked. |[Domain: Endpoint], [OS: Linux], [OS: macOS], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Elastic Defend] |None |7 -|<> |A member was removed or their invitation to join was removed from a GitHub Organization. |[Domain: Cloud], [Use Case: Threat Detection], [Use Case: UEBA], [Tactic: Impact], [Rule Type: BBR], [Data Source: Github] |None |2 +|<> |A member was removed or their invitation to join was removed from a GitHub Organization. |[Domain: Cloud], [Use Case: Threat Detection], [Use Case: UEBA], [Tactic: Impact], [Rule Type: BBR], [Data Source: Github] |8.12.0 |103 |<> |Identifies the creation of a memory dump file with an unusual extension, which can indicate an attempt to disguise a memory dump as another file type to bypass security defenses. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Credential Access], [Tactic: Defense Evasion], [Data Source: Elastic Defend], [Rule Type: BBR] |None |2 @@ -1224,15 +1226,15 @@ and their rule type is `machine_learning`. |<> |Identifies the use of the Exchange PowerShell cmdlet, Set-CASMailbox, to add a new ActiveSync allowed device. Adversaries may target user email to collect sensitive information. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Persistence], [Tactic: Execution], [Data Source: Elastic Endgame], [Data Source: Elastic Defend], [Data Source: System], [Data Source: Microsoft Defender for Endpoint], [Data Source: Sysmon], [Data Source: SentinelOne] |8.13.0 |210 -|<> |This rule detects when a new GitHub App has been installed in your organization account. GitHub Apps extend GitHub's functionality both within and outside of GitHub. When an app is installed it is granted permissions to read or modify your repository and organization data. Only trusted apps should be installed and any newly installed apps should be investigated to verify their legitimacy. Unauthorized app installation could lower your organization's security posture and leave you exposed for future attacks. |[Domain: Cloud], [Use Case: Threat Detection], [Tactic: Execution], [Data Source: Github] |None |2 +|<> |This rule detects when a new GitHub App has been installed in your organization account. GitHub Apps extend GitHub's functionality both within and outside of GitHub. When an app is installed it is granted permissions to read or modify your repository and organization data. Only trusted apps should be installed and any newly installed apps should be investigated to verify their legitimacy. Unauthorized app installation could lower your organization's security posture and leave you exposed for future attacks. |[Domain: Cloud], [Use Case: Threat Detection], [Tactic: Execution], [Data Source: Github] |8.12.0 |103 -|<> |Detects when a new member is added to a GitHub organization as an owner. This role provides admin level privileges. Any new owner roles should be investigated to determine it's validity. Unauthorized owner roles could indicate compromise within your organization and provide unlimited access to data and settings. |[Domain: Cloud], [Use Case: Threat Detection], [Use Case: UEBA], [Tactic: Persistence], [Data Source: Github] |None |4 +|<> |Detects when a new member is added to a GitHub organization as an owner. This role provides admin level privileges. Any new owner roles should be investigated to determine it's validity. Unauthorized owner roles could indicate compromise within your organization and provide unlimited access to data and settings. |[Domain: Cloud], [Use Case: Threat Detection], [Use Case: UEBA], [Tactic: Persistence], [Data Source: Github] |8.12.0 |105 |<> |Detects events where Okta behavior detection has identified a new authentication behavior. |[Use Case: Identity and Access Audit], [Tactic: Initial Access], [Data Source: Okta] |None |5 |<> |Detects the creation of a new Identity Provider (IdP) by a Super Administrator or Organization Administrator within Okta. |[Use Case: Identity and Access Audit], [Tactic: Persistence], [Data Source: Okta] |None |4 -|<> |A new user was added to a GitHub organization. |[Domain: Cloud], [Use Case: Threat Detection], [Use Case: UEBA], [Tactic: Persistence], [Rule Type: BBR], [Data Source: Github] |None |2 +|<> |A new user was added to a GitHub organization. |[Domain: Cloud], [Use Case: Threat Detection], [Use Case: UEBA], [Tactic: Persistence], [Rule Type: BBR], [Data Source: Github] |8.12.0 |103 |<> |Identifies a new or modified federation domain, which can be used to create a trust between O365 and an external identity provider. |[Domain: Cloud], [Data Source: Microsoft 365], [Use Case: Identity and Access Audit], [Tactic: Privilege Escalation] |None |207 diff --git a/docs/detections/prebuilt-rules/rule-desc-index.asciidoc b/docs/detections/prebuilt-rules/rule-desc-index.asciidoc index 33a0da2540..07f08fc431 100644 --- a/docs/detections/prebuilt-rules/rule-desc-index.asciidoc +++ b/docs/detections/prebuilt-rules/rule-desc-index.asciidoc @@ -93,6 +93,7 @@ include::rule-details/aws-ssm-command-document-created-by-rare-user.asciidoc[] include::rule-details/aws-ssm-sendcommand-execution-by-rare-user.asciidoc[] include::rule-details/aws-ssm-sendcommand-with-run-shell-command-parameters.asciidoc[] include::rule-details/aws-sts-assumerole-with-new-mfa-device.asciidoc[] +include::rule-details/aws-sts-assumeroot-by-rare-user-and-member-account.asciidoc[] include::rule-details/aws-sts-getcalleridentity-api-called-for-the-first-time.asciidoc[] include::rule-details/aws-sts-getsessiontoken-abuse.asciidoc[] include::rule-details/aws-sts-role-assumption-by-service.asciidoc[] diff --git a/docs/detections/prebuilt-rules/rule-details/aws-sts-assumeroot-by-rare-user-and-member-account.asciidoc b/docs/detections/prebuilt-rules/rule-details/aws-sts-assumeroot-by-rare-user-and-member-account.asciidoc new file mode 100644 index 0000000000..11da354c34 --- /dev/null +++ b/docs/detections/prebuilt-rules/rule-details/aws-sts-assumeroot-by-rare-user-and-member-account.asciidoc @@ -0,0 +1,157 @@ +[[aws-sts-assumeroot-by-rare-user-and-member-account]] +=== AWS STS AssumeRoot by Rare User and Member Account + +Identifies when the STS `AssumeRoot` action is performed by a rare user in AWS. The AssumeRoot action allows users to assume the root member account role, granting elevated but specific permissions based on the task policy specified. Adversaries whom may have compromised user credentials, such as access and secret keys, can use this technique to escalate privileges and gain unauthorized access to AWS resources. This is a [New Terms](https://www.elastic.co/guide/en/security/current/rules-ui-create.html#create-new-terms-rule) rule that identifies when the STS `AssumeRoot` action is performed by a user that rarely assumes this role and specific member account. + +*Rule type*: new_terms + +*Rule indices*: + +* filebeat-* +* logs-aws.cloudtrail-* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoot.html + +*Tags*: + +* Domain: Cloud +* Data Source: AWS +* Data Source: Amazon Web Services +* Data Source: AWS STS +* Resources: Investigation Guide +* Use Case: Identity and Access Audit +* Tactic: Privilege Escalation + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + + +*Triage and Analysis* + + + +*Investigating AWS STS AssumeRoot by Rare User and Member Account* + + +This rule identifies instances where AWS STS (Security Token Service) is used to assume a root role, granting temporary credentials for AWS resource access. While this action is often legitimate, it can be exploited by adversaries to obtain unauthorized access, escalate privileges, or move laterally within an AWS environment. + + +*Possible Investigation Steps* + + +- **Identify the Actor and Assumed Role**: + - **User Identity**: Review the `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.type` fields to determine who initiated the `AssumeRoot` action. + - **Account Context**: Check the `aws.cloudtrail.recipient_account_id` field for the account affected by the action. This is likely the management account. + - **Authentication**: If available, review the `aws.cloudtrail.user_identity.access_key_id` to identify the access key used for the action. This key may be compromised in the case of unauthorized activity. + - **Resources**: Inspect `aws.cloudtrail.resources.type` and `aws.cloudtrail.resources.arn` to determine the resource or role assumed. This is the member account where the root role was assumed. + +- **Analyze Request Parameters**: + - **Session Details**: Check `aws.cloudtrail.flattened.request_parameters.durationSeconds` for session duration. + - **Permissions**: Review `aws.cloudtrail.flattened.request_parameters.taskPolicyArn` for the associated policy. These policies are predefined and grant specific permissions to the assumed root account. + - **Target Entity**: Inspect the `aws.cloudtrail.flattened.request_parameters.targetPrincipal` field for the entity being accessed. This is typically the member account. + - **Target Policy**: Inspect the `aws.cloudtrail.flattened.request_parameters.targetPolicyArn` field for the policy applied to temporary root credentials. This can help determine the scope of the permissions granted. + +- **Examine Response Details**: + - **Credentials Issued**: Review `aws.cloudtrail.flattened.response_elements.credentials` to confirm credentials were issued and note their expiration (`expiration` field). The temporary access key can be used to pivot into other actions done by the assumed root account by searching for the value in `aws.cloudtrail.user_identity.access_key_id`. + +- **Inspect Source Details**: + - **Source IP and Location**: Evaluate `source.address` and `source.geo` fields to confirm the request's origin. Unusual locations might indicate unauthorized activity. + - **User Agent**: Analyze `user_agent.original` to determine the tool or application used (e.g., AWS CLI, SDK, or custom tooling). + +- **Correlate with Related Events**: + - **Concurrent Events**: Look for surrounding CloudTrail events that indicate follow-up actions, such as access to sensitive resources or privilege escalation attempts. + - **Historical Activity**: Review historical activity for the `aws.cloudtrail.user_identity.arn` to determine if this action is anomalous. + +- **Evaluate Privilege Escalation Risk**: + - **Role Privileges**: Inspect the privileges granted by the assumed role or task policy (`aws.cloudtrail.flattened.request_parameters.taskPolicyArn`). + - **Operational Context**: Confirm whether the action aligns with routine operations or is unusual. + + +*False Positive Analysis* + + +- **Authorized Administrative Activity**: + - Verify if the activity was initiated by an AWS administrator for legitimate purposes. +- **Automated Workflows**: + - Identify if the action was part of an automated process or workflow. + + +*Response and Remediation* + + +1. **Revoke Unauthorized Credentials**: + - If malicious activity is identified, immediately revoke the session tokens and access keys associated with the `AssumeRoot` action. + - It may be worth removing the compromised access key from the affected user or service account. +2. **Enhance Monitoring**: + - Increase the monitoring frequency for sensitive roles and actions, especially `AssumeRoot`. +3. **Review IAM Policies**: + - Limit permissions for accounts or roles to assume root and enforce multi-factor authentication (MFA) where applicable. +4. **Contain and Investigate**: + - Isolate affected accounts or roles and follow incident response procedures to determine the scope and impact of the activity. + + +*Additional Information* + + +For more information on AssumeRoot, refer to the https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoot.html[AWS STS documentation]. + + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset: "aws.cloudtrail" + and event.provider: "sts.amazonaws.com" + and event.action: "AssumeRoot" + and event.outcome: "success" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Abuse Elevation Control Mechanism +** ID: T1548 +** Reference URL: https://attack.mitre.org/techniques/T1548/ +* Sub-technique: +** Name: Temporary Elevated Cloud Access +** ID: T1548.005 +** Reference URL: https://attack.mitre.org/techniques/T1548/005/ +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Account Manipulation +** ID: T1098 +** Reference URL: https://attack.mitre.org/techniques/T1098/ +* Sub-technique: +** Name: Additional Cloud Roles +** ID: T1098.003 +** Reference URL: https://attack.mitre.org/techniques/T1098/003/ diff --git a/docs/detections/prebuilt-rules/rule-details/first-occurrence-github-event-for-a-personal-access-token-pat.asciidoc b/docs/detections/prebuilt-rules/rule-details/first-occurrence-github-event-for-a-personal-access-token-pat.asciidoc index 266958db26..98c72279e7 100644 --- a/docs/detections/prebuilt-rules/rule-details/first-occurrence-github-event-for-a-personal-access-token-pat.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/first-occurrence-github-event-for-a-personal-access-token-pat.asciidoc @@ -30,7 +30,7 @@ Detects a first occurrence event for a personal access token (PAT) not seen in t * Rule Type: BBR * Data Source: Github -*Version*: 2 +*Version*: 103 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/first-occurrence-of-github-repo-interaction-from-a-new-ip.asciidoc b/docs/detections/prebuilt-rules/rule-details/first-occurrence-of-github-repo-interaction-from-a-new-ip.asciidoc index 7a0a5e6c2b..6a41471ead 100644 --- a/docs/detections/prebuilt-rules/rule-details/first-occurrence-of-github-repo-interaction-from-a-new-ip.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/first-occurrence-of-github-repo-interaction-from-a-new-ip.asciidoc @@ -30,7 +30,7 @@ Detects an interaction with a private GitHub repository from a new IP address no * Rule Type: BBR * Data Source: Github -*Version*: 2 +*Version*: 103 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/first-occurrence-of-github-user-interaction-with-private-repo.asciidoc b/docs/detections/prebuilt-rules/rule-details/first-occurrence-of-github-user-interaction-with-private-repo.asciidoc index e13da11a9b..031f1ceb01 100644 --- a/docs/detections/prebuilt-rules/rule-details/first-occurrence-of-github-user-interaction-with-private-repo.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/first-occurrence-of-github-user-interaction-with-private-repo.asciidoc @@ -30,7 +30,7 @@ Detects a new private repo interaction for a GitHub user not seen in the last 14 * Rule Type: BBR * Data Source: Github -*Version*: 2 +*Version*: 103 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/first-occurrence-of-ip-address-for-github-personal-access-token-pat.asciidoc b/docs/detections/prebuilt-rules/rule-details/first-occurrence-of-ip-address-for-github-personal-access-token-pat.asciidoc index ddf48bfe49..d552cc3c20 100644 --- a/docs/detections/prebuilt-rules/rule-details/first-occurrence-of-ip-address-for-github-personal-access-token-pat.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/first-occurrence-of-ip-address-for-github-personal-access-token-pat.asciidoc @@ -30,7 +30,7 @@ Detects a new IP address used for a GitHub PAT not previously seen in the last 1 * Rule Type: BBR * Data Source: Github -*Version*: 2 +*Version*: 103 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/first-occurrence-of-ip-address-for-github-user.asciidoc b/docs/detections/prebuilt-rules/rule-details/first-occurrence-of-ip-address-for-github-user.asciidoc index d75b147504..1a64a5fdb0 100644 --- a/docs/detections/prebuilt-rules/rule-details/first-occurrence-of-ip-address-for-github-user.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/first-occurrence-of-ip-address-for-github-user.asciidoc @@ -30,7 +30,7 @@ Detects a new IP address used for a GitHub user not previously seen in the last * Rule Type: BBR * Data Source: Github -*Version*: 2 +*Version*: 103 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/first-occurrence-of-personal-access-token-pat-use-for-a-github-user.asciidoc b/docs/detections/prebuilt-rules/rule-details/first-occurrence-of-personal-access-token-pat-use-for-a-github-user.asciidoc index 8c483732ad..3f502153f8 100644 --- a/docs/detections/prebuilt-rules/rule-details/first-occurrence-of-personal-access-token-pat-use-for-a-github-user.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/first-occurrence-of-personal-access-token-pat-use-for-a-github-user.asciidoc @@ -30,7 +30,7 @@ A new PAT was used for a GitHub user not previously seen in the last 14 days. * Rule Type: BBR * Data Source: Github -*Version*: 2 +*Version*: 103 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/first-occurrence-of-private-repo-event-from-specific-github-personal-access-token-pat.asciidoc b/docs/detections/prebuilt-rules/rule-details/first-occurrence-of-private-repo-event-from-specific-github-personal-access-token-pat.asciidoc index a68e0ef841..4583868c4f 100644 --- a/docs/detections/prebuilt-rules/rule-details/first-occurrence-of-private-repo-event-from-specific-github-personal-access-token-pat.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/first-occurrence-of-private-repo-event-from-specific-github-personal-access-token-pat.asciidoc @@ -30,7 +30,7 @@ Detects a new private repo interaction for a GitHub PAT not seen in the last 14 * Rule Type: BBR * Data Source: Github -*Version*: 2 +*Version*: 103 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/first-occurrence-of-user-agent-for-a-github-personal-access-token-pat.asciidoc b/docs/detections/prebuilt-rules/rule-details/first-occurrence-of-user-agent-for-a-github-personal-access-token-pat.asciidoc index 98170f935f..946f59f56e 100644 --- a/docs/detections/prebuilt-rules/rule-details/first-occurrence-of-user-agent-for-a-github-personal-access-token-pat.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/first-occurrence-of-user-agent-for-a-github-personal-access-token-pat.asciidoc @@ -30,7 +30,7 @@ Detects a new user agent used for a GitHub PAT not previously seen in the last 1 * Rule Type: BBR * Data Source: Github -*Version*: 2 +*Version*: 103 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/first-occurrence-of-user-agent-for-a-github-user.asciidoc b/docs/detections/prebuilt-rules/rule-details/first-occurrence-of-user-agent-for-a-github-user.asciidoc index d3a6d38855..a555d734c6 100644 --- a/docs/detections/prebuilt-rules/rule-details/first-occurrence-of-user-agent-for-a-github-user.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/first-occurrence-of-user-agent-for-a-github-user.asciidoc @@ -30,7 +30,7 @@ Detects a new user agent used for a GitHub user not previously seen in the last * Rule Type: BBR * Data Source: Github -*Version*: 2 +*Version*: 103 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/github-app-deleted.asciidoc b/docs/detections/prebuilt-rules/rule-details/github-app-deleted.asciidoc index b03014f187..a00a2e3974 100644 --- a/docs/detections/prebuilt-rules/rule-details/github-app-deleted.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/github-app-deleted.asciidoc @@ -28,7 +28,7 @@ Detects the deletion of a GitHub app either from a repo or an organization. * Tactic: Execution * Data Source: Github -*Version*: 2 +*Version*: 103 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/github-owner-role-granted-to-user.asciidoc b/docs/detections/prebuilt-rules/rule-details/github-owner-role-granted-to-user.asciidoc index d615905b56..fc4402b4c3 100644 --- a/docs/detections/prebuilt-rules/rule-details/github-owner-role-granted-to-user.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/github-owner-role-granted-to-user.asciidoc @@ -29,7 +29,7 @@ This rule detects when a member is granted the organization owner role of a GitH * Tactic: Persistence * Data Source: Github -*Version*: 4 +*Version*: 105 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/github-pat-access-revoked.asciidoc b/docs/detections/prebuilt-rules/rule-details/github-pat-access-revoked.asciidoc index 82ecc21eee..2549b2cebf 100644 --- a/docs/detections/prebuilt-rules/rule-details/github-pat-access-revoked.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/github-pat-access-revoked.asciidoc @@ -30,7 +30,7 @@ Access to private GitHub organization resources was revoked for a PAT. * Rule Type: BBR * Data Source: Github -*Version*: 2 +*Version*: 103 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/github-protected-branch-settings-changed.asciidoc b/docs/detections/prebuilt-rules/rule-details/github-protected-branch-settings-changed.asciidoc index 7ceea8e928..bc34fc02a0 100644 --- a/docs/detections/prebuilt-rules/rule-details/github-protected-branch-settings-changed.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/github-protected-branch-settings-changed.asciidoc @@ -28,7 +28,7 @@ This rule detects setting modifications for protected branches of a GitHub repos * Tactic: Defense Evasion * Data Source: Github -*Version*: 4 +*Version*: 105 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/github-repo-created.asciidoc b/docs/detections/prebuilt-rules/rule-details/github-repo-created.asciidoc index fa8aaa23c2..8dc744c451 100644 --- a/docs/detections/prebuilt-rules/rule-details/github-repo-created.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/github-repo-created.asciidoc @@ -30,7 +30,7 @@ A new GitHub repository was created. * Rule Type: BBR * Data Source: Github -*Version*: 2 +*Version*: 103 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/github-repository-deleted.asciidoc b/docs/detections/prebuilt-rules/rule-details/github-repository-deleted.asciidoc index b9d8a211f0..99f731d3ff 100644 --- a/docs/detections/prebuilt-rules/rule-details/github-repository-deleted.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/github-repository-deleted.asciidoc @@ -29,7 +29,7 @@ This rule detects when a GitHub repository is deleted within your organization. * Tactic: Impact * Data Source: Github -*Version*: 2 +*Version*: 102 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/github-user-blocked-from-organization.asciidoc b/docs/detections/prebuilt-rules/rule-details/github-user-blocked-from-organization.asciidoc index 2a936360b4..8df7a900cc 100644 --- a/docs/detections/prebuilt-rules/rule-details/github-user-blocked-from-organization.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/github-user-blocked-from-organization.asciidoc @@ -30,7 +30,7 @@ A GitHub user was blocked from access to an organization. * Rule Type: BBR * Data Source: Github -*Version*: 2 +*Version*: 103 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/high-number-of-cloned-github-repos-from-pat.asciidoc b/docs/detections/prebuilt-rules/rule-details/high-number-of-cloned-github-repos-from-pat.asciidoc index 6682983960..9e96b22b07 100644 --- a/docs/detections/prebuilt-rules/rule-details/high-number-of-cloned-github-repos-from-pat.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/high-number-of-cloned-github-repos-from-pat.asciidoc @@ -29,7 +29,7 @@ Detects a high number of unique private repo clone events originating from a sin * Tactic: Execution * Data Source: Github -*Version*: 2 +*Version*: 103 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/member-removed-from-github-organization.asciidoc b/docs/detections/prebuilt-rules/rule-details/member-removed-from-github-organization.asciidoc index 81333e9f00..0965920bab 100644 --- a/docs/detections/prebuilt-rules/rule-details/member-removed-from-github-organization.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/member-removed-from-github-organization.asciidoc @@ -30,7 +30,7 @@ A member was removed or their invitation to join was removed from a GitHub Organ * Rule Type: BBR * Data Source: Github -*Version*: 2 +*Version*: 103 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/new-github-app-installed.asciidoc b/docs/detections/prebuilt-rules/rule-details/new-github-app-installed.asciidoc index a4a7270624..0d2fb9f466 100644 --- a/docs/detections/prebuilt-rules/rule-details/new-github-app-installed.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/new-github-app-installed.asciidoc @@ -28,7 +28,7 @@ This rule detects when a new GitHub App has been installed in your organization * Tactic: Execution * Data Source: Github -*Version*: 2 +*Version*: 103 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/new-github-owner-added.asciidoc b/docs/detections/prebuilt-rules/rule-details/new-github-owner-added.asciidoc index aa215c22ef..fd383a384c 100644 --- a/docs/detections/prebuilt-rules/rule-details/new-github-owner-added.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/new-github-owner-added.asciidoc @@ -29,7 +29,7 @@ Detects when a new member is added to a GitHub organization as an owner. This ro * Tactic: Persistence * Data Source: Github -*Version*: 4 +*Version*: 105 *Rule authors*: diff --git a/docs/detections/prebuilt-rules/rule-details/new-user-added-to-github-organization.asciidoc b/docs/detections/prebuilt-rules/rule-details/new-user-added-to-github-organization.asciidoc index ed2c1e5744..ac38b8c496 100644 --- a/docs/detections/prebuilt-rules/rule-details/new-user-added-to-github-organization.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/new-user-added-to-github-organization.asciidoc @@ -30,7 +30,7 @@ A new user was added to a GitHub organization. * Rule Type: BBR * Data Source: Github -*Version*: 2 +*Version*: 103 *Rule authors*: diff --git a/docs/index.asciidoc b/docs/index.asciidoc index 4b74831227..50ddd18cce 100644 --- a/docs/index.asciidoc +++ b/docs/index.asciidoc @@ -131,3 +131,5 @@ include::detections/prebuilt-rules/downloadable-packages/8-13-20/prebuilt-rules- include::detections/prebuilt-rules/downloadable-packages/8-13-21/prebuilt-rules-8-13-21-appendix.asciidoc[] include::detections/prebuilt-rules/downloadable-packages/8-13-22/prebuilt-rules-8-13-22-appendix.asciidoc[] + +include::detections/prebuilt-rules/downloadable-packages/8-13-23/prebuilt-rules-8-13-23-appendix.asciidoc[]