Query Details

GitHub repository becomes public

Repo Visibility Change To Public

Query

GitHubAuditLogPolling_CL
| where visibility_s == "public" and previous_visibility_s == "private"
| extend date_time = unixtime_milliseconds_todatetime(_timestamp_d)
| extend organization = split(repo_s, "/")[0]
| extend repository = split(repo_s, "/")[1]
| project TimeGenerated = date_time, AccountCustomEntity = actor_s, organization, repository, action = action_s, visibility = visibility_s

Explanation

This query is designed to monitor GitHub repositories for changes in their visibility settings. Specifically, it detects when a repository's visibility is changed from private to public, which could be a security concern. Here's a breakdown of the query and its components:

  • Purpose: To alert when a GitHub repository's visibility is changed from private to public.
  • Severity: High, indicating that this is a significant security event.
  • Frequency: The query runs every 4 hours, checking for any changes within the last 4 hours.
  • Trigger: An alert is triggered if there is more than 0 occurrence of this event (i.e., if any such change is detected).
  • Tactics: The query is associated with tactics like Collection, Persistence, and Defense Evasion, which are part of the MITRE ATT&CK framework.
  • Techniques: It relates to specific techniques such as T1213 (Data from Information Repositories), T1098 (Account Manipulation), and T1562 (Impair Defenses).
  • Query Logic:
    • It searches the GitHubAuditLogPolling_CL table for entries where the repository's visibility has changed from private to public.
    • It extracts and formats relevant details such as the timestamp of the change, the organization and repository names, the actor who made the change, and the action performed.
  • Entity Mapping: The query maps the actor who made the change to an account entity for further analysis or alerting.

In simple terms, this query helps security teams keep an eye on potentially risky changes in GitHub repository settings, ensuring that any unauthorized or accidental exposure of private code is quickly identified and addressed.

Details

Thomas Naunheim profile picture

Thomas Naunheim

Released: February 9, 2024

Tables

GitHubAuditLogPolling_CL

Keywords

GitHubRepositoryVisibilityAccountOrganizationActorAction

Operators

whereandextendunixtime_milliseconds_todatetimesplitproject

Severity

High

Tactics

CollectionPersistenceDefenseEvasion

MITRE Techniques

Frequency: 4h

Period: 4h

Actions

GitHub