Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. GitHub - pull request was created

GitHub - pull request was created

Back
Id0b85a077-8ba5-4cb5-90f7-1e882afe10c7
RulenameGitHub - pull request was created
DescriptionDetect activities when a pull request was created. This query runs every day and its severity is Medium.
SeverityMedium
TacticsInitialAccess
TechniquesT1078
KindScheduled
Query frequency1d
Query period7d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GitHub/Analytic Rules/GitHub - pull request was created.yaml
Version1.0.1
Arm template0b85a077-8ba5-4cb5-90f7-1e882afe10c7.json
Deploy To Azure
GitHubAuditData 
| where Action == "pull_request.create"
| project Actor, Action
| extend AccountName = tostring(split(Actor, "@")[0]), AccountUPNSuffix = tostring(split(Actor, "@")[1])

OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GitHub/Analytic Rules/GitHub - pull request was created.yaml
queryFrequency: 1d
name: GitHub - pull request was created
severity: Medium
triggerThreshold: 0
query: |
  GitHubAuditData 
  | where Action == "pull_request.create"
  | project Actor, Action
  | extend AccountName = tostring(split(Actor, "@")[0]), AccountUPNSuffix = tostring(split(Actor, "@")[1])  
requiredDataConnectors: []
relevantTechniques:
- T1078
status: Available
triggerOperator: gt
queryPeriod: 7d
description: |
    'Detect activities when a pull request was created. This query runs every day and its severity is Medium.'
id: 0b85a077-8ba5-4cb5-90f7-1e882afe10c7
version: 1.0.1
entityMappings:
- fieldMappings:
  - columnName: Actor
    identifier: FullName
  - columnName: AccountName
    identifier: Name
  - columnName: AccountUPNSuffix
    identifier: UPNSuffix
  entityType: Account
kind: Scheduled
tactics:
- InitialAccess