GitHubAuditData
| where Action == "repo.create"
| extend AccountName = tostring(split(Actor, "@")[0]), AccountUPNSuffix = tostring(split(Actor, "@")[1])
query: |
GitHubAuditData
| where Action == "repo.create"
| extend AccountName = tostring(split(Actor, "@")[0]), AccountUPNSuffix = tostring(split(Actor, "@")[1])
severity: Medium
queryFrequency: 1d
entityMappings:
- entityType: Account
fieldMappings:
- columnName: Actor
identifier: FullName
- columnName: AccountName
identifier: Name
- columnName: AccountUPNSuffix
identifier: UPNSuffix
queryPeriod: 7d
version: 1.0.1
status: Available
relevantTechniques:
- T1078
id: 0b85a077-8ba5-4cb5-90f7-1e882afe10c2
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GitHub/Analytic Rules/(Preview) GitHub - Repository was created.yaml
description: |
'Detect activities when a repository was created. This query runs every day and its severity is Medium.'
triggerOperator: gt
tactics:
- InitialAccess
kind: Scheduled
name: (Preview) GitHub - Repository was created
requiredDataConnectors: []
