Query Details
Invited Outside Collabs As Owner
Query
id: 9227adcb-e76e-46fa-8e67-a85ebda41fff
name: 'Invited "outside collaborators" as owner to GitHub organization'
description: |
'Owner of GitHub organization has invited outside collaborator with owner permission.'
severity: High
requiredDataConnectors: []
queryFrequency: 4h
queryPeriod: 4h
triggerOperator: gt
triggerThreshold: 0
tactics:
- Persistence
- Persistence
- DefenseEvasion
relevantTechniques:
- T1098
- T1098
- T1562
query: |
GitHubAuditLogPolling_CL
| where action_s == "org.add_member" and permission_s == "admin"
| join kind=innerunique (
GitHubAuditLogPolling_CL
) on $left.TimeGenerated == $right.TimeGenerated
| where action_s1 == "org.invite_member"
| extend date_time = unixtime_milliseconds_todatetime(_timestamp_d)
| project TimeGenerated = date_time, AccountCustomEntity = actor_s, organization = org_s, invitedUser = user_s, action = action_s
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: AccountCustomEntity
version: 1.0.0Explanation
This query is looking for instances where the owner of a GitHub organization has invited an outside collaborator with owner permissions. It checks the GitHub audit logs for the actions "org.add_member" and "org.invite_member" with the appropriate permissions. The query is run every 4 hours and the severity of this activity is considered high. The relevant techniques are T1098 and T1562, which are related to persistence and defense evasion. No additional data connectors are required for this query.
Details
Thomas Naunheim
Released: January 29, 2022
Tables
GitHubAuditLogPolling_CL
Keywords
GitHub,organization,outsidecollaborator,owner,permission,action,admin,invitemember,Account,organization,invitedUser
Operators
whereandjoinonextendproject