-
Notifications
You must be signed in to change notification settings - Fork 78
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add YARA-L rules for GitHub Enterprise audit logs
PiperOrigin-RevId: 625766896
- Loading branch information
1 parent
517b6c5
commit e54ae8a
Showing
26 changed files
with
1,519 additions
and
0 deletions.
There are no files selected for viewing
75 changes: 75 additions & 0 deletions
75
..._to_personal_access_token_followed_by_high_number_of_cloned_non_public_repositories.yaral
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,75 @@ | ||
| /* | ||
| * Copyright 2024 Google LLC | ||
| * | ||
| * Licensed under the Apache License, Version 2.0 (the "License"); | ||
| * you may not use this file except in compliance with the License. | ||
| * You may obtain a copy of the License at | ||
| * | ||
| * https://www.apache.org/licenses/LICENSE-2.0 | ||
| * | ||
| * Unless required by applicable law or agreed to in writing, software | ||
| * distributed under the License is distributed on an "AS IS" BASIS, | ||
| * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
| * See the License for the specific language governing permissions and | ||
| * limitations under the License. | ||
| */ | ||
|
|
||
| rule github_access_granted_to_personal_access_token_followed_by_high_number_of_cloned_non_public_repositories { | ||
|
|
||
| meta: | ||
| author = "Google Cloud Security" | ||
| description = "Detects when a user grants access to a GitHub Personal Access Token prior to cloning several GitHub non-public GitHub repositories. An adversary may grant access to a Personal Access Token before attempting to steal the contents of several GitHub repositories using a an automated script or offensive tool." | ||
| assumption = "Your GitHub enterprise audit log settings are configured to log the source IP address for events. Reference: https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/displaying-ip-addresses-in-the-audit-log-for-your-organization" | ||
| type = "alert" | ||
| severity = "High" | ||
| priority = "High" | ||
| platform = "GitHub" | ||
| data_source = "github" | ||
| mitre_attack_tactic = "Collection" | ||
| mitre_attack_technique = "Data from Information Repositories: Code Repositories" | ||
| mitre_attack_url = "https://attack.mitre.org/versions/v14/techniques/T1213/003/" | ||
| mitre_attack_version = "v14" | ||
| reference = "https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise" | ||
|
|
||
| events: | ||
| // GitHub Personal Access Token (PAT) access granted event | ||
| $github_pat.metadata.vendor_name = "GITHUB" | ||
| $github_pat.metadata.product_name = "GITHUB" | ||
| $github_pat.metadata.product_event_type = "personal_access_token.access_granted" | ||
|
|
||
| // GitHub repository clone event | ||
| $github_pat.metadata.vendor_name = "GITHUB" | ||
| $github_clone.metadata.product_name = "GITHUB" | ||
| $github_clone.metadata.product_event_type = "git.clone" | ||
| $github_clone.target.resource.name = $github_repo_name | ||
|
|
||
| // Join GitHub PAT access granted event to GitHub repository clone event | ||
| $github_pat.principal.user.userid = $github_clone.principal.user.userid | ||
|
|
||
| // Placeholder for match section | ||
| $github_pat.principal.user.userid = $user_id | ||
|
|
||
| // Ensure PAT access granted event occurred before repository clone events | ||
| $github_pat.metadata.event_timestamp.seconds < $github_clone.metadata.event_timestamp.seconds | ||
|
|
||
| match: | ||
| $user_id over 30m | ||
|
|
||
| outcome: | ||
| $github_repo_name_distinct_count = count_distinct($github_repo_name) | ||
| $risk_score = max(85) | ||
| $mitre_attack_tactic = "Collection" | ||
| $mitre_attack_technique = "Data from Information Repositories: Code Repositories" | ||
| $mitre_attack_technique_id = "T1213.003" | ||
| $event_count = count_distinct($github_clone.metadata.id) | ||
| $principal_ip = array_distinct($github_pat.principal.ip) | ||
| $principal_user_userid = array_distinct($github_pat.principal.user.userid) | ||
| $principal_ip_country = array_distinct($github_pat.principal.ip_geo_artifact.location.country_or_region) | ||
| $principal_ip_state = array_distinct($github_pat.principal.ip_geo_artifact.location.state) | ||
| $principal_ip_city = array_distinct($github_pat.principal.location.city) | ||
| $security_result_summary = array_distinct($github_pat.security_result.summary) | ||
|
|
||
| condition: | ||
| // Customize GitHub repo count to fit your environment | ||
| $github_pat and $github_clone and $github_repo_name_distinct_count > 5 | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,46 @@ | ||
| /* | ||
| * Copyright 2024 Google LLC | ||
| * | ||
| * Licensed under the Apache License, Version 2.0 (the "License"); | ||
| * you may not use this file except in compliance with the License. | ||
| * You may obtain a copy of the License at | ||
| * | ||
| * https://www.apache.org/licenses/LICENSE-2.0 | ||
| * | ||
| * Unless required by applicable law or agreed to in writing, software | ||
| * distributed under the License is distributed on an "AS IS" BASIS, | ||
| * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
| * See the License for the specific language governing permissions and | ||
| * limitations under the License. | ||
| */ | ||
|
|
||
| rule github_application_installed { | ||
|
|
||
| meta: | ||
| author = "Google Cloud Security" | ||
| description = "Detects when a GitHub application is installed within an organization. An untrusted application can be installed and granted permissions to access data within a GitHub organization." | ||
| assumption = "Your GitHub enterprise audit log settings are configured to log the source IP address for events. Reference: https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/displaying-ip-addresses-in-the-audit-log-for-your-organization" | ||
| type = "alert" | ||
| severity = "Low" | ||
| priority = "Low" | ||
| platform = "GitHub" | ||
| data_source = "github" | ||
| reference = "https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise" | ||
|
|
||
| events: | ||
| $github.metadata.vendor_name = "GITHUB" | ||
| $github.metadata.product_name = "GITHUB" | ||
| $github.metadata.product_event_type = "integration_installation.create" | ||
|
|
||
| outcome: | ||
| $risk_score = max(35) | ||
| $principal_ip = array_distinct($github.principal.ip) | ||
| $principal_user_userid = array_distinct($github.principal.user.userid) | ||
| $principal_ip_country = array_distinct($github.principal.ip_geo_artifact.location.country_or_region) | ||
| $principal_ip_state = array_distinct($github.principal.ip_geo_artifact.location.state) | ||
| $principal_ip_city = array_distinct($github.principal.location.city) | ||
| $security_result_summary = array_distinct($github.security_result.summary) | ||
|
|
||
| condition: | ||
| $github | ||
| } |
67 changes: 67 additions & 0 deletions
67
community/github/github_dependabot_vulnerability_alerts_disabled.yaral
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,67 @@ | ||
| /* | ||
| * Copyright 2024 Google LLC | ||
| * | ||
| * Licensed under the Apache License, Version 2.0 (the "License"); | ||
| * you may not use this file except in compliance with the License. | ||
| * You may obtain a copy of the License at | ||
| * | ||
| * https://www.apache.org/licenses/LICENSE-2.0 | ||
| * | ||
| * Unless required by applicable law or agreed to in writing, software | ||
| * distributed under the License is distributed on an "AS IS" BASIS, | ||
| * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
| * See the License for the specific language governing permissions and | ||
| * limitations under the License. | ||
| */ | ||
|
|
||
| rule github_dependabot_vulnerability_alerts_disabled { | ||
|
|
||
| meta: | ||
| author = "Google Cloud Security" | ||
| description = "Detects when vulnerability alerts are disabled for GitHub Dependabot." | ||
| assumption = "Your GitHub enterprise audit log settings are configured to log the source IP address for events. Reference: https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/displaying-ip-addresses-in-the-audit-log-for-your-organization" | ||
| type = "alert" | ||
| severity = "High" | ||
| priority = "High" | ||
| platform = "GitHub" | ||
| data_source = "github" | ||
| mitre_attack_tactic = "Defense Evasion" | ||
| mitre_attack_technique = "Impair Defenses: Disable or Modify Tools" | ||
| mitre_attack_url = "https://attack.mitre.org/versions/v14/techniques/T1562/001/" | ||
| mitre_attack_version = "v14" | ||
| reference = "https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise" | ||
|
|
||
| events: | ||
| $github.metadata.vendor_name = "GITHUB" | ||
| $github.metadata.product_name = "GITHUB" | ||
| ( | ||
| $github.metadata.product_event_type = "repository_vulnerability_alerts.disable" or | ||
| $github.metadata.product_event_type = "business_dependabot_alerts.disable" or | ||
| $github.metadata.product_event_type = "business_dependabot_alerts_new_repos.disable" or | ||
| $github.metadata.product_event_type = "dependabot_alerts.disable" or | ||
| $github.metadata.product_event_type = "dependabot_alerts_new_repos.disable" or | ||
| $github.metadata.product_event_type = "dependabot_security_updates.disable" or | ||
| $github.metadata.product_event_type = "dependabot_security_updates_new_repos.disable" | ||
| ) | ||
|
|
||
| $github.principal.user.userid = $user_id | ||
|
|
||
| match: | ||
| $user_id over 30m | ||
|
|
||
| outcome: | ||
| $risk_score = max(85) | ||
| $mitre_attack_tactic = "Defense Evasion" | ||
| $mitre_attack_technique = "Impair Defenses: Disable or Modify Tools" | ||
| $mitre_attack_technique_id = "T1562.001" | ||
| $event_count = count_distinct($github.metadata.id) | ||
| $principal_ip = array_distinct($github.principal.ip) | ||
| $principal_user_userid = array_distinct($github.principal.user.userid) | ||
| $principal_ip_country = array_distinct($github.principal.ip_geo_artifact.location.country_or_region) | ||
| $principal_ip_state = array_distinct($github.principal.ip_geo_artifact.location.state) | ||
| $principal_ip_city = array_distinct($github.principal.location.city) | ||
| $security_result_summary = array_distinct($github.security_result.summary) | ||
|
|
||
| condition: | ||
| $github | ||
| } |
53 changes: 53 additions & 0 deletions
53
community/github/github_enterprise_audit_log_stream_destroyed.yaral
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,53 @@ | ||
| /* | ||
| * Copyright 2024 Google LLC | ||
| * | ||
| * Licensed under the Apache License, Version 2.0 (the "License"); | ||
| * you may not use this file except in compliance with the License. | ||
| * You may obtain a copy of the License at | ||
| * | ||
| * https://www.apache.org/licenses/LICENSE-2.0 | ||
| * | ||
| * Unless required by applicable law or agreed to in writing, software | ||
| * distributed under the License is distributed on an "AS IS" BASIS, | ||
| * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
| * See the License for the specific language governing permissions and | ||
| * limitations under the License. | ||
| */ | ||
|
|
||
| rule github_enterprise_audit_log_stream_destroyed { | ||
|
|
||
| meta: | ||
| author = "Google Cloud Security" | ||
| description = "Detects when a GitHub audit log stream is destroyed. An adversary may attempt to destroy audit logs to erase their tracks." | ||
| assumption = "Your GitHub enterprise audit log settings are configured to log the source IP address for events. Reference: https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/displaying-ip-addresses-in-the-audit-log-for-your-organization" | ||
| type = "alert" | ||
| severity = "High" | ||
| priority = "High" | ||
| platform = "GitHub" | ||
| data_source = "github" | ||
| mitre_attack_tactic = "Defense Evasion" | ||
| mitre_attack_technique = "Impair Defenses: Disable or Modify Cloud Logs" | ||
| mitre_attack_url = "https://attack.mitre.org/versions/v14/techniques/T1562/008/" | ||
| mitre_attack_version = "v14" | ||
| reference = "https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise" | ||
|
|
||
| events: | ||
| $github.metadata.vendor_name = "GITHUB" | ||
| $github.metadata.product_name = "GITHUB" | ||
| $github.metadata.product_event_type = "audit_log_streaming.destroy" | ||
|
|
||
| outcome: | ||
| $risk_score = max(85) | ||
| $mitre_attack_tactic = "Defense Evasion" | ||
| $mitre_attack_technique = "Impair Defenses: Disable or Modify Cloud Logs" | ||
| $mitre_attack_technique_id = "T1562.008" | ||
| $principal_ip = array_distinct($github.principal.ip) | ||
| $principal_user_userid = array_distinct($github.principal.user.userid) | ||
| $principal_ip_country = array_distinct($github.principal.ip_geo_artifact.location.country_or_region) | ||
| $principal_ip_state = array_distinct($github.principal.ip_geo_artifact.location.state) | ||
| $principal_ip_city = array_distinct($github.principal.location.city) | ||
| $security_result_summary = array_distinct($github.security_result.summary) | ||
|
|
||
| condition: | ||
| $github | ||
| } |
53 changes: 53 additions & 0 deletions
53
community/github/github_enterprise_audit_log_stream_modified.yaral
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,53 @@ | ||
| /* | ||
| * Copyright 2024 Google LLC | ||
| * | ||
| * Licensed under the Apache License, Version 2.0 (the "License"); | ||
| * you may not use this file except in compliance with the License. | ||
| * You may obtain a copy of the License at | ||
| * | ||
| * https://www.apache.org/licenses/LICENSE-2.0 | ||
| * | ||
| * Unless required by applicable law or agreed to in writing, software | ||
| * distributed under the License is distributed on an "AS IS" BASIS, | ||
| * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
| * See the License for the specific language governing permissions and | ||
| * limitations under the License. | ||
| */ | ||
|
|
||
| rule github_enterprise_audit_log_stream_modified { | ||
|
|
||
| meta: | ||
| author = "Google Cloud Security" | ||
| description = "Detects when a GitHub audit log stream is modified (e.g. paused, enabled, or disabled). An adversary may attempt to interrupt audit logging to erase their tracks." | ||
| assumption = "Your GitHub enterprise audit log settings are configured to log the source IP address for events. Reference: https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/displaying-ip-addresses-in-the-audit-log-for-your-organization" | ||
| type = "alert" | ||
| severity = "High" | ||
| priority = "High" | ||
| platform = "GitHub" | ||
| data_source = "github" | ||
| mitre_attack_tactic = "Defense Evasion" | ||
| mitre_attack_technique = "Impair Defenses: Disable or Modify Cloud Logs" | ||
| mitre_attack_url = "https://attack.mitre.org/versions/v14/techniques/T1562/008/" | ||
| mitre_attack_version = "v14" | ||
| reference = "https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise" | ||
|
|
||
| events: | ||
| $github.metadata.vendor_name = "GITHUB" | ||
| $github.metadata.product_name = "GITHUB" | ||
| $github.metadata.product_event_type = "audit_log_streaming.update" | ||
|
|
||
| outcome: | ||
| $risk_score = max(85) | ||
| $mitre_attack_tactic = "Defense Evasion" | ||
| $mitre_attack_technique = "Impair Defenses: Disable or Modify Cloud Logs" | ||
| $mitre_attack_technique_id = "T1562.008" | ||
| $principal_ip = array_distinct($github.principal.ip) | ||
| $principal_user_userid = array_distinct($github.principal.user.userid) | ||
| $principal_ip_country = array_distinct($github.principal.ip_geo_artifact.location.country_or_region) | ||
| $principal_ip_state = array_distinct($github.principal.ip_geo_artifact.location.state) | ||
| $principal_ip_city = array_distinct($github.principal.location.city) | ||
| $security_result_summary = array_distinct($github.security_result.summary) | ||
|
|
||
| condition: | ||
| $github | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,59 @@ | ||
| /* | ||
| * Copyright 2024 Google LLC | ||
| * | ||
| * Licensed under the Apache License, Version 2.0 (the "License"); | ||
| * you may not use this file except in compliance with the License. | ||
| * You may obtain a copy of the License at | ||
| * | ||
| * https://www.apache.org/licenses/LICENSE-2.0 | ||
| * | ||
| * Unless required by applicable law or agreed to in writing, software | ||
| * distributed under the License is distributed on an "AS IS" BASIS, | ||
| * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
| * See the License for the specific language governing permissions and | ||
| * limitations under the License. | ||
| */ | ||
|
|
||
| rule github_enterprise_deleted { | ||
|
|
||
| meta: | ||
| author = "Google Cloud Security" | ||
| description = "Detects when a GitHub enterprise is deleted." | ||
| assumption = "Your GitHub enterprise audit log settings are configured to log the source IP address for events. Reference: https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/displaying-ip-addresses-in-the-audit-log-for-your-organization" | ||
| type = "alert" | ||
| severity = "High" | ||
| priority = "High" | ||
| platform = "GitHub" | ||
| data_source = "github" | ||
| mitre_attack_tactic = "Impact" | ||
| mitre_attack_technique = "Data Destruction" | ||
| mitre_attack_url = "https://attack.mitre.org/versions/v14/techniques/T1485/" | ||
| mitre_attack_version = "v14" | ||
| reference = "https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise" | ||
|
|
||
| events: | ||
| $github.metadata.vendor_name = "GITHUB" | ||
| $github.metadata.product_name = "GITHUB" | ||
| $github.metadata.product_event_type = "business.delete" | ||
| $github.principal.user.userid = $user_id | ||
| $github.target.user.company_name = $github_enterprise_name | ||
|
|
||
| match: | ||
| $user_id, $github_enterprise_name over 30m | ||
|
|
||
| outcome: | ||
| $risk_score = max(85) | ||
| $mitre_attack_tactic = "Impact" | ||
| $mitre_attack_technique = "Data Destruction" | ||
| $mitre_attack_technique_id = "T1485" | ||
| $event_count = count_distinct($github.metadata.id) | ||
| $principal_ip = array_distinct($github.principal.ip) | ||
| $principal_user_userid = array_distinct($github.principal.user.userid) | ||
| $principal_ip_country = array_distinct($github.principal.ip_geo_artifact.location.country_or_region) | ||
| $principal_ip_state = array_distinct($github.principal.ip_geo_artifact.location.state) | ||
| $principal_ip_city = array_distinct($github.principal.location.city) | ||
| $security_result_summary = array_distinct($github.security_result.summary) | ||
|
|
||
| condition: | ||
| $github | ||
| } |
Oops, something went wrong.