Query Details
Fed Cred Created For Unknown Entity
Query
id: 1134336d-4ed5-4599-9512-29cbbfc4770f
name: 'Federated credentials has been created for unknown GitHub entity or repository outside of organization'
description: |
'Audit Event of added Identity Federated Credentials (SubjectIdentifier) will be correlated to GitHub Audit to filter repository which aren't exist in GitHub organization.'
severity: High
requiredDataConnectors: []
queryFrequency: 1d
queryPeriod: 1d
triggerOperator: gt
triggerThreshold: 0
tactics:
- DefenseEvasion
relevantTechniques:
- T1550.001
query: |
AuditLogs
| where OperationName has_any ("Update application")
| where Result =~ "success"
| extend initiatedByUPN = tostring(InitiatedBy.user.userPrincipalName)
| extend initiatedByIP = tostring(InitiatedBy.user.ipAddress)
| extend targetDisplayName = tostring(TargetResources[0].displayName)
| extend targetId = tostring(TargetResources[0].id)
| extend targetType = tostring(TargetResources[0].type)
| extend keyEvents = TargetResources[0].modifiedProperties
| mv-expand keyEvents
| where keyEvents.displayName =~ "FederatedIdentityCredentials"
| extend new_value_set = parse_json(tostring(keyEvents.newValue))
| extend old_value_set = parse_json(tostring(keyEvents.oldValue))
| mv-expand new_value_set
| extend issuer = tostring(new_value_set.Issuer)
| where issuer == "https://token.actions.githubusercontent.com"
| extend subject = tostring(new_value_set.Subject)
| extend federatedCredentialName = tostring(new_value_set.Name)
| extend repoPath = tostring(split(subject, ":")[1])
| extend organization = split(repoPath, "/")[0]
| extend repository = split(repoPath, "/")[1]
| extend entityType = split(subject, ":")[2]
| extend entityValue = split(subject, ":")[3]
| join kind= leftouter (
GitHubAuditLogPolling_CL
| summarize arg_max(TimeGenerated, *) by repo_s
) on $left.repoPath == $right.repo_s
| where repoPath != repo_s
| project TimeGenerated, AccountCustomEntity = initiatedByUPN, IPCustomEntity = initiatedByIP, targetDisplayName, federatedCredentialName, targetType, organization, repository, entityType, entityValue
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: AccountCustomEntity
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
version: 1.0.0Explanation
This query is used to identify instances where federated credentials have been created for unknown GitHub entities or repositories outside of the organization. It looks for audit logs of successful updates to applications, filters for events related to federated identity credentials, and extracts relevant information such as the user who initiated the action, the target repository, and the organization. It then joins this information with GitHub audit logs to identify repositories that do not exist within the organization. The query is run daily and has a high severity level.
Details
Thomas Naunheim
Released: February 2, 2022
Tables
AuditLogsGitHubAuditLogPolling_CL
Keywords
AuditLogs,OperationName,Result,InitiatedBy,TargetResources,modifiedProperties,displayName,newValue,oldValue,Issuer,Subject,Name,repoPath,organization,repository,entityType,entityValue,GitHubAuditLogPolling_CL,TimeGenerated,AccountCustomEntity,IPCustomEntity,FullName,Address
Operators
wherehas_any=~extendmv-expandparse_jsonsplitjoinprojectsummarizearg_maxby