Federated credentials has been created for unknown GitHub entity or repository outside of organization
Fed Cred Created For Unknown Entity
Query
AuditLogs
| where OperationName has_any ("Update application")
| where Result =~ "success"
| extend initiatedByUPN = tostring(InitiatedBy.user.userPrincipalName)
| extend initiatedByIP = tostring(InitiatedBy.user.ipAddress)
| extend targetDisplayName = tostring(TargetResources[0].displayName)
| extend targetId = tostring(TargetResources[0].id)
| extend targetType = tostring(TargetResources[0].type)
| extend keyEvents = TargetResources[0].modifiedProperties
| mv-expand keyEvents
| where keyEvents.displayName =~ "FederatedIdentityCredentials"
| extend new_value_set = parse_json(tostring(keyEvents.newValue))
| extend old_value_set = parse_json(tostring(keyEvents.oldValue))
| mv-expand new_value_set
| extend issuer = tostring(new_value_set.Issuer)
| where issuer == "https://token.actions.githubusercontent.com"
| extend subject = tostring(new_value_set.Subject)
| extend federatedCredentialName = tostring(new_value_set.Name)
| extend repoPath = tostring(split(subject, ":")[1])
| extend organization = split(repoPath, "/")[0]
| extend repository = split(repoPath, "/")[1]
| extend entityType = split(subject, ":")[2]
| extend entityValue = split(subject, ":")[3]
| join kind= leftouter (
GitHubAuditLogPolling_CL
| summarize arg_max(TimeGenerated, *) by repo_s
) on $left.repoPath == $right.repo_s
| where repoPath != repo_s
| project TimeGenerated, AccountCustomEntity = initiatedByUPN, IPCustomEntity = initiatedByIP, targetDisplayName, federatedCredentialName, targetType, organization, repository, entityType, entityValueExplanation
This query is designed to detect suspicious activity related to the creation of federated credentials for GitHub entities or repositories that are not part of an organization's GitHub account. Here's a simplified breakdown:
-
Purpose: The query identifies when federated credentials are created for GitHub entities or repositories that do not exist within the organization's GitHub account, which could indicate unauthorized access or configuration.
-
Severity: The alert generated by this query is considered high severity, indicating a significant security concern.
-
Data Source: The query analyzes audit logs to track changes related to application updates, specifically focusing on federated identity credentials.
-
Process:
- It filters audit logs for successful operations related to application updates.
- It extracts details about who initiated the change, including their user principal name and IP address.
- It examines the modified properties to identify changes related to federated identity credentials.
- It checks if the issuer of the credential is GitHub Actions (
https://token.actions.githubusercontent.com). - It parses the subject to extract the organization, repository, and entity details.
- It cross-references this information with GitHub audit logs to verify if the repository exists within the organization's GitHub account.
-
Alert Trigger: An alert is triggered if there are any federated credentials created for repositories that do not match those in the organization's GitHub audit logs.
-
Output: The query outputs details such as the time of the event, the user and IP address involved, the target application, and details about the federated credential and GitHub repository.
-
Entity Mappings: The query maps the user and IP address to security entities for further investigation.
This query runs daily and is part of a defense evasion tactic, specifically targeting the technique of exploiting federated authentication mechanisms.
Details

Thomas Naunheim
Released: February 9, 2024
Tables
Keywords
Operators
Severity
HighTactics
MITRE Techniques
Frequency: 1d
Period: 1d