Invited "outside collaborators" as owner to GitHub organization
Invited Outside Collabs As Owner
Query
GitHubAuditLogPolling_CL
| where action_s == "org.add_member" and permission_s == "admin"
| join kind=innerunique (
GitHubAuditLogPolling_CL
) on $left.TimeGenerated == $right.TimeGenerated
| where action_s1 == "org.invite_member"
| extend date_time = unixtime_milliseconds_todatetime(_timestamp_d)
| project TimeGenerated = date_time, AccountCustomEntity = actor_s, organization = org_s, invitedUser = user_s, action = action_sExplanation
This query is designed to monitor a GitHub organization for security purposes. Here's a simple breakdown of what it does:
-
Purpose: The query checks if someone with owner permissions in a GitHub organization has invited an "outside collaborator" and granted them owner-level access. This is considered a high-severity action because it could pose a security risk.
-
Frequency: The query runs every 4 hours, looking back over the past 4 hours of data.
-
Trigger: The query triggers an alert if it finds any such activity (i.e., if the count of such events is greater than 0).
-
Tactics: It relates to tactics like Persistence (maintaining access) and Defense Evasion (avoiding detection).
-
Techniques: It maps to specific MITRE ATT&CK techniques, such as T1098 (Account Manipulation) and T1562 (Impair Defenses).
-
Data Source: It uses data from
GitHubAuditLogPolling_CL, which logs GitHub audit events. -
Logic:
- It looks for actions where a member is added to the organization with admin permissions.
- It joins this data with other audit log entries to find corresponding "invite member" actions.
- It extracts relevant details like the time of the event, the actor (who performed the action), the organization, and the invited user.
-
Output: The results include details such as when the event happened, who performed the action, which organization was affected, and who was invited.
-
Entity Mapping: It maps the actor's full name to an account entity for further analysis or alerting.
Overall, this query helps in identifying potentially risky behavior related to granting high-level access to external collaborators in a GitHub organization.
Details

Thomas Naunheim
Released: February 9, 2024
Tables
Keywords
Operators
Severity
HighTactics
Frequency: 4h
Period: 4h