Query Details
Git Hub App Added To Org
Query
id: c098157d-9edd-41aa-8a11-f3b515eff098
name: 'New GitHub App added to GitHub Enterprise organization'
description: |
'GitHub Apps will be added to extend your workflos and integration in GitHub Enterprise. An attacker could use a malicious extension to conduct malicious activity. This query looks for new GitHub Apps that are not from a configurable list of approved apps.'
severity: Medium
requiredDataConnectors: []
queryFrequency: 4h
queryPeriod: 4h
triggerOperator: gt
triggerThreshold: 0
tactics:
- Persistence
relevantTechniques:
- T1505
query: |
let allowed_apps = dynamic(["Dependabot"]);
GitHubAuditLogPolling_CL
| where action_s =~ "integration_installation.repositories_added"
| extend appName = tostring(name_s)
| where appName !in (allowed_apps)
| extend organization = tostring(org_s)
| project-reorder TimeGenerated, actor_s, org_s, organization
| extend date_time = unixtime_milliseconds_todatetime(_timestamp_d)
| project TimeGenerated = date_time, AccountCustomEntity = actor_s, organization = org_s, appName , action = action_s
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: AccountCustomEntity
version: 1.0.0Explanation
This query looks for new GitHub Apps that are not from a list of approved apps. It checks the GitHubAuditLogPolling_CL table for actions related to the installation of new apps. It filters out apps that are not in the approved list and reorders the columns in the output. The query also maps the "AccountCustomEntity" column to the "FullName" field in the Account entity. The query runs every 4 hours and has a medium severity level.
Details
Thomas Naunheim
Released: February 2, 2022
Tables
GitHubAuditLogPolling_CL
Keywords
GitHub,Apps,Extension,Attacker,Malicious,Activity,Query,List,Approved,AuditLog,Polling,Integration,Installation,Repositories,Organization,TimeGenerated,Actor,Org,Organization,Date_Time,AccountCustomEntity,Action,Account
Operators
whereextendinproject-reorderunixtime_milliseconds_todatetimeproject