Query Details
Repo Visibility Change To Public
Query
id: 0ad32398-a885-4133-acaa-acf999836080
name: 'GitHub repository becomes public'
description: |
'Detection to trigger alerts if visibility of existing repository will be changed from private to public.'
severity: High
requiredDataConnectors: []
queryFrequency: 4h
queryPeriod: 4h
triggerOperator: gt
triggerThreshold: 0
tactics:
- Collection
- Persistence
- DefenseEvasion
relevantTechniques:
- T1213
- T1098
- T1562
query: |
GitHubAuditLogPolling_CL
| where visibility_s == "public" and previous_visibility_s == "private"
| extend date_time = unixtime_milliseconds_todatetime(_timestamp_d)
| extend organization = split(repo_s, "/")[0]
| extend repository = split(repo_s, "/")[1]
| project TimeGenerated = date_time, AccountCustomEntity = actor_s, organization, repository, action = action_s, visibility = visibility_s
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: AccountCustomEntity
version: 1.0.0Explanation
This query is designed to detect if a GitHub repository changes from private to public. It will trigger alerts when this change occurs. The severity of this event is considered high. The query is run every 4 hours and looks for repositories where the visibility changes from private to public. It then extracts relevant information such as the time of the event, the account responsible, the organization, the repository name, the action taken, and the visibility status. The query is focused on the Collection, Persistence, and Defense Evasion tactics, and it relates to techniques T1213, T1098, and T1562. No additional data connectors are required for this query. The query version is 1.0.0.
Details
Thomas Naunheim
Released: January 29, 2022
Tables
Keywords
Operators