KQL Search

Query Details

HomeAI ToolsDevice Query

Fed Cred Issued Repo Sensitive Action

Query

id: 065fd4ed-cce3-4f79-87de-d2d61490303b
name: 'Sensitive actions in GitHub repository with Entra ID Federated Credentials'
description: |
  'Detection on pre-defined sensitive actions in repository which are federated with Entra ID service principal'
severity: High
requiredDataConnectors: []
queryFrequency: 4h
queryPeriod: 4h
triggerOperator: gt
triggerThreshold: 0
tactics:
  - Execution 
  - DefenseEvasion
relevantTechniques:
  - T1578
query: |
  let GitHubFederated = _GetWatchlist('GitHubFederatedCredentials');
  let SensitiveActions =  dynamic (["repo.add_member", "protected_branch.destroy", "protected_branch.update_pull_request_reviews_enforcement_level","protected_branch.policy_override"]);
  let SensitivePermissionChange =  dynamic (["admin"]);
  let SensitiveEnvAction = dynamic(["environment.remove_protection_rule", "environment.remove_actions_secret"]);
  GitHubAuditLogPolling_CL
  | extend repository = repo_s
  | join kind=inner (GitHubFederated) on $left.repository == $right.Repo
  | where action_s in (SensitiveActions) or new_repo_permission_s in (SensitivePermissionChange) or (action_s in (SensitiveEnvAction) and name_s == Environment)
  | extend date_time = unixtime_milliseconds_todatetime(_timestamp_d)
  | extend organization = split(repo_s, "/")[0]
  | extend repository = split(repo_s, "/")[1]
  | project TimeGenerated = date_time, AccountCustomEntity = actor_s, organization, repository, action = action_s, newRepoPermission = new_repo_permission_s
entityMappings:
  - entityType: Account
    fieldMappings:
      - identifier: FullName
        columnName: AccountCustomEntity
version: 1.0.1

Explanation

This query is designed to detect sensitive actions in a GitHub repository that is federated with Entra ID service principal. It checks for predefined sensitive actions such as adding a member to a repository, destroying a protected branch, updating pull request review enforcement level, and policy override for protected branches. It also checks for sensitive permission changes, specifically the "admin" permission. Additionally, it looks for sensitive environment actions such as removing protection rules and actions secrets. The query retrieves data from the GitHubAuditLogPolling_CL table and joins it with a watchlist of federated GitHub repositories. It then filters the results based on the sensitive actions and permission changes mentioned earlier. The output includes the time of the event, the account involved, the organization and repository names, and the specific action or permission change that occurred.

Details

Thomas Naunheim profile picture

Thomas Naunheim

Released: September 28, 2023

Tables

GitHubAuditLogPolling_CL

Keywords

GitHub,EntraID,Credentials,SensitiveActions,Repository,ServicePrincipal,Execution,DefenseEvasion,T1578,GitHubFederatedCredentials,repo.add_member,protected_branch.destroy,protected_branch.update_pull_request_reviews_enforcement_level,protected_branch.policy_override,admin,environment.remove_protection_rule,environment.remove_actions_secret,GitHubAuditLogPolling_CL,repository,action_s,new_repo_permission_s,Environment,date_time,organization,repository,TimeGenerated,AccountCustomEntity,actor_s,newRepoPermission,Account,FullName

Operators

letdynamic_GetWatchlistextendjoinonwhereorandinsplitproject

Actions