Sensitive actions in GitHub repository with Entra ID Federated Credentials
Fed Cred Issued Repo Sensitive Action
Query
let GitHubFederated = _GetWatchlist('GitHubFederatedCredentials');
let SensitiveActions = dynamic (["repo.add_member", "protected_branch.destroy", "protected_branch.update_pull_request_reviews_enforcement_level","protected_branch.policy_override"]);
let SensitivePermissionChange = dynamic (["admin"]);
let SensitiveEnvAction = dynamic(["environment.remove_protection_rule", "environment.remove_actions_secret"]);
GitHubAuditLogPolling_CL
| extend repository = repo_s
| join kind=inner (GitHubFederated) on $left.repository == $right.Repo
| where action_s in (SensitiveActions) or new_repo_permission_s in (SensitivePermissionChange) or (action_s in (SensitiveEnvAction) and name_s == Environment)
| extend date_time = unixtime_milliseconds_todatetime(_timestamp_d)
| extend organization = split(repo_s, "/")[0]
| extend repository = split(repo_s, "/")[1]
| project TimeGenerated = date_time, AccountCustomEntity = actor_s, organization, repository, action = action_s, newRepoPermission = new_repo_permission_sExplanation
This KQL query is designed to detect sensitive actions occurring in GitHub repositories that are linked with Entra ID federated credentials. Here's a simplified breakdown:
-
Purpose: The query identifies specific sensitive actions within GitHub repositories that are associated with Entra ID service principals. These actions could indicate potential security risks or unauthorized access.
-
Severity: The severity level of this detection is marked as "High," indicating that the actions being monitored are critical and could pose significant security threats.
-
Frequency and Period: The query runs every 4 hours and checks for events that occurred within the last 4 hours.
-
Triggers: The query triggers an alert if there is more than zero occurrence of the specified actions.
-
Tactics and Techniques: The query is associated with the tactics of "Execution" and "Defense Evasion," and it relates to the MITRE ATT&CK technique T1578.
-
Sensitive Actions: The query looks for specific actions such as adding members to a repository, destroying or updating protected branches, overriding branch policies, and changing repository permissions to "admin." It also checks for actions related to removing environment protection rules or secrets.
-
Data Source: The query uses data from the
GitHubAuditLogPolling_CLtable and cross-references it with a watchlist named 'GitHubFederatedCredentials' to identify relevant repositories. -
Output: The query outputs details such as the time of the action, the account involved, the organization and repository names, the action performed, and any new repository permissions granted.
-
Entity Mapping: The query maps the account involved in the action to an entity type "Account" for further analysis or alerting.
Overall, this query helps in monitoring and alerting on potentially risky actions in GitHub repositories that are integrated with Entra ID, aiding in the detection of unauthorized or suspicious activities.
Details

Thomas Naunheim
Released: February 9, 2024
Tables
Keywords
Operators
Severity
HighTactics
MITRE Techniques
Frequency: 4h
Period: 4h