GitHub - User was added to the organization

Back


Id	0b85a077-8ba5-4cb5-90f7-1e882afe10c4
Rulename	GitHub - User was added to the organization
Description	Detect activities when a user was added to the organization. This query runs every day and its severity is Medium.
Severity	Medium
Tactics	InitialAccess
Techniques	T1078
Kind	Scheduled
Query frequency	1d
Query period	7d
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GitHub/Analytic Rules/GitHub - User was added to the organization.yaml
Version	1.0.1
Arm template	0b85a077-8ba5-4cb5-90f7-1e882afe10c4.json

KQL

GitHubAuditData
| where Action == "org.add_member"
| project Actor, Action
| extend Name = iif(Actor contains "@", split(Actor, "@")[0], Actor)
| extend UPNSuffix = iif(Actor contains "@", split(Actor, "@")[1], "")

YAML

queryPeriod: 7d
queryFrequency: 1d
description: |
    'Detect activities when a user was added to the organization. This query runs every day and its severity is Medium.'
query: |
  GitHubAuditData
  | where Action == "org.add_member"
  | project Actor, Action
  | extend Name = iif(Actor contains "@", split(Actor, "@")[0], Actor)
  | extend UPNSuffix = iif(Actor contains "@", split(Actor, "@")[1], "")  
requiredDataConnectors: []
id: 0b85a077-8ba5-4cb5-90f7-1e882afe10c4
status: Available
triggerOperator: gt
version: 1.0.1
kind: Scheduled
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GitHub/Analytic Rules/GitHub - User was added to the organization.yaml
tactics:
- InitialAccess
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: FullName
    columnName: Actor
  - identifier: Name
    columnName: Name
  - identifier: UPNSuffix
    columnName: UPNSuffix
name: GitHub - User was added to the organization
relevantTechniques:
- T1078
severity: Medium

ARM