Query Details

GitHub Pull Request Policy Bypassing - Historic allow list

Pull Request Policy By Pass

Query

let starttime = 14d;
let endtime = 2d;
// Add GitHub user names to Authorized Bypassers to ignore policy bypasses by certain authorized users
let AuthorizedBypassers = dynamic(['GitHub1', 'GitHub2']);
let historicBypassers = GitHubAuditLogPolling_CL
| where TimeGenerated between (ago(starttime) .. ago(endtime))
| where action_s == "protected_branch.policy_override"
| distinct actor_s;
GitHubAuditLogPolling_CL
| where TimeGenerated >= ago(endtime)
| where action_s == "protected_branch.policy_override"
| where actor_s !in (historicBypassers) and actor_s !in (AuthorizedBypassers)
| extend date_time = unixtime_milliseconds_todatetime(_timestamp_d)
| extend organization = split(repo_s, "/")[0]
| extend repository = split(repo_s, "/")[1]
| project TimeGenerated = date_time, AccountCustomEntity = actor_s, organization = org_s, repository, branch = branch_s, action = action_s

Explanation

This query is designed to detect unauthorized bypasses of GitHub pull request policies. Here's a simple breakdown of what it does:

  1. Purpose: It identifies instances where someone bypasses a protected branch policy in GitHub, and flags those bypasses if they are not on an allow list.

  2. Allow List: There are two types of allow lists:

    • Authorized Bypassers: A predefined list of GitHub users (e.g., 'GitHub1', 'GitHub2') who are allowed to bypass policies.
    • Historic Bypassers: Users who have bypassed policies in the past (between 14 and 2 days ago) and are considered allowed based on historical data.
  3. Detection: The query checks for policy bypasses in the last 2 days. It flags any bypasses by users who are not on either the Authorized Bypassers list or the Historic Bypassers list.

  4. Output: For each flagged bypass, it provides details such as the time it occurred, the user who performed it, the organization, the repository, the branch, and the action taken.

  5. Severity: The severity of this detection is marked as high, indicating that unauthorized bypasses are considered a significant security concern.

  6. Frequency: The query runs daily to ensure timely detection of unauthorized bypasses.

In summary, this query helps maintain the integrity of GitHub repositories by ensuring that only authorized users can bypass pull request policies, and it alerts on any unauthorized attempts.

Details

Thomas Naunheim profile picture

Thomas Naunheim

Released: February 9, 2024

Tables

GitHubAuditLogPolling_CL

Keywords

GitHubPullRequestPolicyBypassingHistoricAllowListExecution

Operators

letdynamicbetweenagodistinctwhere!inextendunixtime_milliseconds_todatetimesplitproject

Severity

High

Tactics

Execution

MITRE Techniques

Frequency: 1d

Period: 1d

Actions

GitHub