GitHub - pull request was merged

Back


Id	0b85a077-8ba5-4cb5-90f7-1e882afe10c6
Rulename	GitHub - pull request was merged
Description	Detect activities when a pull request was merged. This query runs every day and its severity is Medium.
Severity	Medium
Tactics	InitialAccess
Techniques	T1078
Kind	Scheduled
Query frequency	1d
Query period	7d
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GitHub/Analytic Rules/GitHub - pull request was merged.yaml
Version	1.0.1
Arm template	0b85a077-8ba5-4cb5-90f7-1e882afe10c6.json

KQL

GitHubAuditData
| where Action == "pull_request.merge"
| project Actor, Action
| extend AccountName = tostring(split(Actor, "@")[0]), AccountUPNSuffix = tostring(split(Actor, "@")[1])

YAML

queryFrequency: 1d
triggerOperator: gt
query: |
  GitHubAuditData
  | where Action == "pull_request.merge"
  | project Actor, Action
  | extend AccountName = tostring(split(Actor, "@")[0]), AccountUPNSuffix = tostring(split(Actor, "@")[1])  
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: Actor
    identifier: FullName
  - columnName: AccountName
    identifier: Name
  - columnName: AccountUPNSuffix
    identifier: UPNSuffix
triggerThreshold: 0
description: |
    'Detect activities when a pull request was merged. This query runs every day and its severity is Medium.'
requiredDataConnectors: []
status: Available
version: 1.0.1
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GitHub/Analytic Rules/GitHub - pull request was merged.yaml
name: GitHub - pull request was merged
relevantTechniques:
- T1078
tactics:
- InitialAccess
severity: Medium
id: 0b85a077-8ba5-4cb5-90f7-1e882afe10c6
queryPeriod: 7d
kind: Scheduled

ARM