GitHub - Oauth application - a client secret was removed

GitHubAuditData
| where Action == "oauth_application.remove_client_secret"
| extend AccountName = tostring(split(Actor, "@")[0]), AccountUPNSuffix = tostring(split(Actor, "@")[1])

name: GitHub - Oauth application - a client secret was removed
relevantTechniques:
- T1078
id: 0b85a077-8ba5-4cb5-90f7-1e882afe10c5
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GitHub/Analytic Rules/GitHub - Oauth application - a client secret was removed.yaml
requiredDataConnectors: []
version: 1.0.1
severity: Medium
triggerThreshold: 0
queryPeriod: 7d
entityMappings:
- fieldMappings:
  - identifier: FullName
    columnName: Actor
  - identifier: Name
    columnName: AccountName
  - identifier: UPNSuffix
    columnName: AccountUPNSuffix
  entityType: Account
queryFrequency: 1d
status: Available
query: |
  GitHubAuditData
  | where Action == "oauth_application.remove_client_secret"
  | extend AccountName = tostring(split(Actor, "@")[0]), AccountUPNSuffix = tostring(split(Actor, "@")[1])  
tactics:
- InitialAccess
kind: Scheduled
description: |
    'Detect activities when a client secret was removed. This query runs every day and its severity is Medium.'
triggerOperator: gt