Query Details

Sensitive changes and activities in GitHub organization

Git Hub Org Sensitive Change Actions

Query

let SensitiveActions =  dynamic (["org.disable_two_factor_requirement", "org.enable_member_team_creation_permissio", "org.oauth_app_access_approved","members_can_delete_repos.disable","org.update_default_repository_permission","organization_domain.create","oauth_application.create","	integration_installation.repositories_added","org.disable_oauth_app_restrictions","org.update_actions_settings","org.create_actions_secret","dependency_graph.disable","dependabot_security_updates_new_repos.disable","org.update_actions_settings"]);
// Add GitHub user names to Authorized Bypassers to ignore policy bypasses by certain authorized users
let AuthorizedOrgOwner = dynamic(['GitHub1', 'GitHub2']);
GitHubAuditLogPolling_CL
| extend repository = repo_s
| where action_s in (SensitiveActions)
| where actor_s !in (AuthorizedOrgOwner)
| extend date_time = unixtime_milliseconds_todatetime(_timestamp_d)
| project TimeGenerated = date_time, AccountCustomEntity = actor_s, organization = org_s, action = action_s

Explanation

This query is designed to monitor and detect sensitive actions within a GitHub organization, specifically targeting actions that could indicate potential security risks or policy violations. Here's a simplified breakdown:

  • Purpose: The query aims to identify and alert on specific sensitive activities occurring at the organization level in GitHub Enterprise. These activities are predefined and considered high-risk.

  • Severity: The alert generated by this query is classified as "High," indicating that the actions it detects are of significant concern.

  • Frequency: The query runs every 4 hours, checking for any occurrences of the specified sensitive actions within the last 4 hours.

  • Sensitive Actions: A list of actions considered sensitive includes disabling two-factor authentication requirements, changing repository permissions, creating OAuth applications, and other actions that could impact the security or integrity of the organization.

  • Authorized Bypassers: Certain GitHub users (e.g., 'GitHub1', 'GitHub2') are considered authorized to perform these actions without triggering an alert. This allows for legitimate actions by trusted users to be ignored.

  • Data Source: The query pulls data from the GitHubAuditLogPolling_CL table, which contains logs of actions performed within the GitHub organization.

  • Output: The query outputs a list of actions, including the time they occurred, the user who performed them, the organization involved, and the specific action taken.

  • Entity Mapping: The query maps the detected actions to user accounts for easier identification and tracking.

Overall, this query helps in maintaining the security posture of a GitHub organization by alerting administrators to potentially unauthorized or risky changes, while allowing for exceptions for trusted users.

Details

Thomas Naunheim profile picture

Thomas Naunheim

Released: February 9, 2024

Tables

GitHubAuditLogPolling_CL

Keywords

GitHubOrganizationActionsSecurityUsers

Operators

letdynamicextendwherein!inunixtime_milliseconds_todatetimeproject

Severity

High

Tactics

ExecutionDefenseEvasion

MITRE Techniques

Frequency: 4h

Period: 4h

Actions

GitHub