First Occurrence GitHub Event for a Personal Access Token (PAT)
Detects a first occurrence event for a personal access token (PAT) not seen in the last 14 days.
Rule type: new_terms
Rule indices:
- logs-github.audit-*
Rule Severity: low
Risk Score: 21
Runs every:
Searches indices from: now-9m
Maximum alerts per execution: 100
References:
Tags:
- Domain: Cloud
- Use Case: Threat Detection
- Use Case: UEBA
- Tactic: Execution
- Rule Type: BBR
- Data Source: Github
Version: 207
Rule authors:
- Elastic
Rule license: Elastic License v2
event.dataset:"github.audit" and event.category:"configuration" and
event.action:* and github.hashed_token:* and
github.programmatic_access_type:("OAuth access token" or "Fine-grained personal access token")
Framework: MITRE ATT&CK
Tactic:
- Name: Execution
- Id: TA0002
- Reference URL: https://attack.mitre.org/tactics/TA0002/
Technique:
- Name: Serverless Execution
- Id: T1648
- Reference URL: https://attack.mitre.org/techniques/T1648/
Framework: MITRE ATT&CK
Tactic:
- Name: Defense Evasion
- Id: TA0005
- Reference URL: https://attack.mitre.org/tactics/TA0005/
Technique:
- Name: Use Alternate Authentication Material
- Id: T1550
- Reference URL: https://attack.mitre.org/techniques/T1550/
Sub Technique:
- Name: Application Access Token
- Id: T1550.001
- Reference URL: https://attack.mitre.org/techniques/T1550/001/
Framework: MITRE ATT&CK
Tactic:
- Name: Persistence
- Id: TA0003
- Reference URL: https://attack.mitre.org/tactics/TA0003/
Technique:
- Name: Account Manipulation
- Id: T1098
- Reference URL: https://attack.mitre.org/techniques/T1098/
Sub Technique:
- Name: Additional Cloud Credentials
- Id: T1098.001
- Reference URL: https://attack.mitre.org/techniques/T1098/001/