GitHub repository becomes public
Repo Visibility Change To Public
Query
GitHubAuditLogPolling_CL
| where visibility_s == "public" and previous_visibility_s == "private"
| extend date_time = unixtime_milliseconds_todatetime(_timestamp_d)
| extend organization = split(repo_s, "/")[0]
| extend repository = split(repo_s, "/")[1]
| project TimeGenerated = date_time, AccountCustomEntity = actor_s, organization, repository, action = action_s, visibility = visibility_sExplanation
This query is designed to monitor GitHub repositories for changes in their visibility settings. Specifically, it detects when a repository's visibility is changed from private to public, which could be a security concern. Here's a breakdown of the query and its components:
- Purpose: To alert when a GitHub repository's visibility is changed from private to public.
- Severity: High, indicating that this is a significant security event.
- Frequency: The query runs every 4 hours, checking for any changes within the last 4 hours.
- Trigger: An alert is triggered if there is more than 0 occurrence of this event (i.e., if any such change is detected).
- Tactics: The query is associated with tactics like Collection, Persistence, and Defense Evasion, which are part of the MITRE ATT&CK framework.
- Techniques: It relates to specific techniques such as T1213 (Data from Information Repositories), T1098 (Account Manipulation), and T1562 (Impair Defenses).
- Query Logic:
- It searches the
GitHubAuditLogPolling_CLtable for entries where the repository's visibility has changed from private to public. - It extracts and formats relevant details such as the timestamp of the change, the organization and repository names, the actor who made the change, and the action performed.
- It searches the
- Entity Mapping: The query maps the actor who made the change to an account entity for further analysis or alerting.
In simple terms, this query helps security teams keep an eye on potentially risky changes in GitHub repository settings, ensuring that any unauthorized or accidental exposure of private code is quickly identified and addressed.
Details

Thomas Naunheim
Released: February 9, 2024
Tables
GitHubAuditLogPolling_CL
Keywords
GitHubRepositoryVisibilityAccountOrganizationActorAction
Operators
whereandextendunixtime_milliseconds_todatetimesplitproject
Severity
HighTactics
CollectionPersistenceDefenseEvasion
Frequency: 4h
Period: 4h