Query Details

Invited "outside collaborators" as owner to GitHub organization

Invited Outside Collabs As Owner

Query

GitHubAuditLogPolling_CL
| where action_s == "org.add_member" and permission_s == "admin"
| join kind=innerunique (
    GitHubAuditLogPolling_CL
    ) on $left.TimeGenerated == $right.TimeGenerated
| where action_s1 == "org.invite_member"
| extend date_time = unixtime_milliseconds_todatetime(_timestamp_d)
| project TimeGenerated = date_time, AccountCustomEntity = actor_s, organization = org_s, invitedUser = user_s, action = action_s

Explanation

This query is designed to monitor a GitHub organization for security purposes. Here's a simple breakdown of what it does:

  • Purpose: The query checks if someone with owner permissions in a GitHub organization has invited an "outside collaborator" and granted them owner-level access. This is considered a high-severity action because it could pose a security risk.

  • Frequency: The query runs every 4 hours, looking back over the past 4 hours of data.

  • Trigger: The query triggers an alert if it finds any such activity (i.e., if the count of such events is greater than 0).

  • Tactics: It relates to tactics like Persistence (maintaining access) and Defense Evasion (avoiding detection).

  • Techniques: It maps to specific MITRE ATT&CK techniques, such as T1098 (Account Manipulation) and T1562 (Impair Defenses).

  • Data Source: It uses data from GitHubAuditLogPolling_CL, which logs GitHub audit events.

  • Logic:

    1. It looks for actions where a member is added to the organization with admin permissions.
    2. It joins this data with other audit log entries to find corresponding "invite member" actions.
    3. It extracts relevant details like the time of the event, the actor (who performed the action), the organization, and the invited user.
  • Output: The results include details such as when the event happened, who performed the action, which organization was affected, and who was invited.

  • Entity Mapping: It maps the actor's full name to an account entity for further analysis or alerting.

Overall, this query helps in identifying potentially risky behavior related to granting high-level access to external collaborators in a GitHub organization.

Details

Thomas Naunheim profile picture

Thomas Naunheim

Released: February 9, 2024

Tables

GitHubAuditLogPolling_CL

Keywords

GitHubOrganizationOwnerCollaboratorPermissionAccount

Operators

whereandjoinon==extendunixtime_milliseconds_todatetimeproject

Severity

High

Tactics

PersistencePersistenceDefenseEvasion

MITRE Techniques

Frequency: 4h

Period: 4h

Actions

GitHub