New GitHub App added to GitHub Enterprise organization
Git Hub App Added To Org
Query
let allowed_apps = dynamic(["Dependabot"]);
GitHubAuditLogPolling_CL
| where action_s =~ "integration_installation.repositories_added"
| extend appName = tostring(name_s)
| where appName !in (allowed_apps)
| extend organization = tostring(org_s)
| project-reorder TimeGenerated, actor_s, org_s, organization
| extend date_time = unixtime_milliseconds_todatetime(_timestamp_d)
| project TimeGenerated = date_time, AccountCustomEntity = actor_s, organization = org_s, appName , action = action_sExplanation
This query is designed to monitor a GitHub Enterprise organization for the addition of new GitHub Apps. It specifically looks for apps that are not part of a predefined list of approved apps (in this case, only "Dependabot" is approved). The purpose is to detect potentially malicious apps that could be used by attackers to perform harmful activities within the organization.
Here's a simple breakdown of the query:
- Purpose: To identify new GitHub Apps added to an organization that are not on an approved list.
- Severity: Medium, indicating a moderate level of concern.
- Frequency: The query runs every 4 hours and checks the last 4 hours of data.
- Trigger: It alerts if any unapproved app is detected (trigger threshold is greater than 0).
- Tactics: This falls under the "Persistence" tactic, suggesting that the concern is about maintaining unauthorized access.
- Relevant Techniques: It relates to the MITRE ATT&CK technique T1505, which involves server software components.
- Data Source: It uses logs from
GitHubAuditLogPolling_CL. - Process:
- It checks for actions related to adding repositories to integrations.
- It extracts the app name and checks if it is not in the allowed list.
- It captures details like the time of the event, the actor (who performed the action), the organization, and the app name.
- Output: The results include the time of the event, the actor's name, the organization, and the app name, which helps in identifying unauthorized app installations.
This query helps organizations maintain control over their GitHub environment by ensuring only approved apps are added, thereby reducing the risk of malicious activities.
Details

Thomas Naunheim
Released: February 9, 2024
Tables
GitHubAuditLogPolling_CL
Keywords
GitHubAppsOrganizationAccountIntegrationRepositories
Operators
letdynamic=~tostring!inproject-reorderunixtime_milliseconds_todatetimeproject
Severity
MediumTactics
Persistence
MITRE Techniques
Frequency: 4h
Period: 4h