KQL Search

Query Details

HomeAI ToolsDevice Query

Git Hub Org Sensitive Change Actions

Query

id: 5b5a7809-bf88-4359-8d22-9bbd428c90e1
name: 'Sensitive changes and activities in GitHub organization'
description: |
  'Detection on pre-defined sensitive actions on organization-level in GitHub Enterprise'
severity: High
requiredDataConnectors: []
queryFrequency: 4h
queryPeriod: 4h
triggerOperator: gt
triggerThreshold: 0
tactics:
  - Execution 
  - DefenseEvasion
relevantTechniques:
  - T1578
query: |
  let SensitiveActions =  dynamic (["org.disable_two_factor_requirement", "org.enable_member_team_creation_permissio", "org.oauth_app_access_approved","members_can_delete_repos.disable","org.update_default_repository_permission","organization_domain.create","oauth_application.create","	integration_installation.repositories_added","org.disable_oauth_app_restrictions","org.update_actions_settings","org.create_actions_secret","dependency_graph.disable","dependabot_security_updates_new_repos.disable","org.update_actions_settings"]);
  // Add GitHub user names to Authorized Bypassers to ignore policy bypasses by certain authorized users
  let AuthorizedOrgOwner = dynamic(['GitHub1', 'GitHub2']);
  GitHubAuditLogPolling_CL
  | extend repository = repo_s
  | where action_s in (SensitiveActions)
  | where actor_s !in (AuthorizedOrgOwner)
  | extend date_time = unixtime_milliseconds_todatetime(_timestamp_d)
  | project TimeGenerated = date_time, AccountCustomEntity = actor_s, organization = org_s, action = action_s
entityMappings:
  - entityType: Account
    fieldMappings:
      - identifier: FullName
        columnName: AccountCustomEntity
version: 1.0.0

Explanation

This query is designed to detect sensitive changes and activities within a GitHub organization. It looks for specific actions that are considered sensitive and filters out any actions performed by authorized users. The query retrieves information such as the time the action was generated, the account involved, the organization, and the specific action performed. The query is run every 4 hours and covers a 4-hour period. The severity of this query is classified as high.

Details

Thomas Naunheim profile picture

Thomas Naunheim

Released: January 29, 2022

Tables

GitHubAuditLogPolling_CL

Keywords

GitHub,SensitiveActions,AuthorizedOrgOwner,GitHubAuditLogPolling_CL,repo_s,action_s,actor_s,org_s,_timestamp_d,AccountCustomEntity,entityType,Account,FullName

Operators

idnamedescriptionseverityrequiredDataConnectorsqueryFrequencyqueryPeriodtriggerOperatortriggerThresholdtacticsrelevantTechniquesqueryletdynamicextendwhereinprojectentityTypefieldMappingsidentifiercolumnNameversion

Actions