Sensitive changes and activities in GitHub organization
Git Hub Org Sensitive Change Actions
Query
let SensitiveActions = dynamic (["org.disable_two_factor_requirement", "org.enable_member_team_creation_permissio", "org.oauth_app_access_approved","members_can_delete_repos.disable","org.update_default_repository_permission","organization_domain.create","oauth_application.create"," integration_installation.repositories_added","org.disable_oauth_app_restrictions","org.update_actions_settings","org.create_actions_secret","dependency_graph.disable","dependabot_security_updates_new_repos.disable","org.update_actions_settings"]);
// Add GitHub user names to Authorized Bypassers to ignore policy bypasses by certain authorized users
let AuthorizedOrgOwner = dynamic(['GitHub1', 'GitHub2']);
GitHubAuditLogPolling_CL
| extend repository = repo_s
| where action_s in (SensitiveActions)
| where actor_s !in (AuthorizedOrgOwner)
| extend date_time = unixtime_milliseconds_todatetime(_timestamp_d)
| project TimeGenerated = date_time, AccountCustomEntity = actor_s, organization = org_s, action = action_sExplanation
This query is designed to monitor and detect sensitive actions within a GitHub organization, specifically targeting actions that could indicate potential security risks or policy violations. Here's a simplified breakdown:
-
Purpose: The query aims to identify and alert on specific sensitive activities occurring at the organization level in GitHub Enterprise. These activities are predefined and considered high-risk.
-
Severity: The alert generated by this query is classified as "High," indicating that the actions it detects are of significant concern.
-
Frequency: The query runs every 4 hours, checking for any occurrences of the specified sensitive actions within the last 4 hours.
-
Sensitive Actions: A list of actions considered sensitive includes disabling two-factor authentication requirements, changing repository permissions, creating OAuth applications, and other actions that could impact the security or integrity of the organization.
-
Authorized Bypassers: Certain GitHub users (e.g., 'GitHub1', 'GitHub2') are considered authorized to perform these actions without triggering an alert. This allows for legitimate actions by trusted users to be ignored.
-
Data Source: The query pulls data from the
GitHubAuditLogPolling_CLtable, which contains logs of actions performed within the GitHub organization. -
Output: The query outputs a list of actions, including the time they occurred, the user who performed them, the organization involved, and the specific action taken.
-
Entity Mapping: The query maps the detected actions to user accounts for easier identification and tracking.
Overall, this query helps in maintaining the security posture of a GitHub organization by alerting administrators to potentially unauthorized or risky changes, while allowing for exceptions for trusted users.
