packages/security_detection_engine/kibana/security_rule/9b343b62-d173-4cfd-bd8b-e6379f964ca4_4.json

{
    "attributes": {
        "author": [
            "Elastic"
        ],
        "description": "This rule detects when a member is granted the organization owner role of a GitHub organization. This role provides admin level privileges. Any new owner role should be investigated to determine its validity. Unauthorized owner roles could indicate compromise within your organization and provide unlimited access to data and settings.",
        "from": "now-9m",
        "index": [
            "logs-github.audit-*"
        ],
        "language": "eql",
        "license": "Elastic License v2",
        "name": "GitHub Owner Role Granted To User",
        "query": "iam where event.dataset == \"github.audit\" and event.action == \"org.update_member\" and github.permission == \"admin\"\n",
        "related_integrations": [
            {
                "package": "github",
                "version": "^2.0.0"
            }
        ],
        "required_fields": [
            {
                "ecs": true,
                "name": "event.action",
                "type": "keyword"
            },
            {
                "ecs": true,
                "name": "event.dataset",
                "type": "keyword"
            },
            {
                "ecs": false,
                "name": "github.permission",
                "type": "keyword"
            }
        ],
        "risk_score": 47,
        "rule_id": "9b343b62-d173-4cfd-bd8b-e6379f964ca4",
        "severity": "medium",
        "tags": [
            "Domain: Cloud",
            "Use Case: Threat Detection",
            "Use Case: UEBA",
            "Tactic: Persistence",
            "Data Source: Github"
        ],
        "threat": [
            {
                "framework": "MITRE ATT&CK",
                "tactic": {
                    "id": "TA0003",
                    "name": "Persistence",
                    "reference": "https://attack.mitre.org/tactics/TA0003/"
                },
                "technique": [
                    {
                        "id": "T1098",
                        "name": "Account Manipulation",
                        "reference": "https://attack.mitre.org/techniques/T1098/",
                        "subtechnique": [
                            {
                                "id": "T1098.003",
                                "name": "Additional Cloud Roles",
                                "reference": "https://attack.mitre.org/techniques/T1098/003/"
                            }
                        ]
                    }
                ]
            }
        ],
        "timestamp_override": "event.ingested",
        "type": "eql",
        "version": 4
    },
    "id": "9b343b62-d173-4cfd-bd8b-e6379f964ca4_4",
    "type": "security-rule"
}