Preview GitHub - Repository was created

Back


Id	0b85a077-8ba5-4cb5-90f7-1e882afe10c2
Rulename	(Preview) GitHub - Repository was created
Description	Detect activities when a repository was created. This query runs every day and its severity is Medium.
Severity	Medium
Tactics	InitialAccess
Techniques	T1078
Kind	Scheduled
Query frequency	1d
Query period	7d
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GitHub/Analytic Rules/(Preview) GitHub - Repository was created.yaml
Version	1.0.1
Arm template	0b85a077-8ba5-4cb5-90f7-1e882afe10c2.json

KQL

GitHubAuditData
| where Action == "repo.create"
| extend AccountName = tostring(split(Actor, "@")[0]), AccountUPNSuffix = tostring(split(Actor, "@")[1])

YAML

tactics:
- InitialAccess
triggerOperator: gt
requiredDataConnectors: []
relevantTechniques:
- T1078
entityMappings:
- fieldMappings:
  - identifier: FullName
    columnName: Actor
  - identifier: Name
    columnName: AccountName
  - identifier: UPNSuffix
    columnName: AccountUPNSuffix
  entityType: Account
id: 0b85a077-8ba5-4cb5-90f7-1e882afe10c2
queryPeriod: 7d
name: (Preview) GitHub - Repository was created
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GitHub/Analytic Rules/(Preview) GitHub - Repository was created.yaml
queryFrequency: 1d
description: |
    'Detect activities when a repository was created. This query runs every day and its severity is Medium.'
version: 1.0.1
query: |
  GitHubAuditData
  | where Action == "repo.create"
  | extend AccountName = tostring(split(Actor, "@")[0]), AccountUPNSuffix = tostring(split(Actor, "@")[1])  
triggerThreshold: 0
severity: Medium
status: Available
kind: Scheduled

ARM