GitHubAuditData
| where Action == "org.add_member"
| project Actor, Action
| extend Name = iif(Actor contains "@", split(Actor, "@")[0], Actor)
| extend UPNSuffix = iif(Actor contains "@", split(Actor, "@")[1], "")
id: 0b85a077-8ba5-4cb5-90f7-1e882afe10c4
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GitHub/Analytic Rules/GitHub - User was added to the organization.yaml
entityMappings:
- fieldMappings:
- identifier: FullName
columnName: Actor
- identifier: Name
columnName: Name
- identifier: UPNSuffix
columnName: UPNSuffix
entityType: Account
requiredDataConnectors: []
queryFrequency: 1d
queryPeriod: 7d
status: Available
query: |
GitHubAuditData
| where Action == "org.add_member"
| project Actor, Action
| extend Name = iif(Actor contains "@", split(Actor, "@")[0], Actor)
| extend UPNSuffix = iif(Actor contains "@", split(Actor, "@")[1], "")
name: GitHub - User was added to the organization
kind: Scheduled
tactics:
- InitialAccess
severity: Medium
relevantTechniques:
- T1078
triggerThreshold: 0
version: 1.0.1
description: |
'Detect activities when a user was added to the organization. This query runs every day and its severity is Medium.'
