GitHubAuditData
| where Action == "pull_request.create"
| project Actor, Action
| extend AccountName = tostring(split(Actor, "@")[0]), AccountUPNSuffix = tostring(split(Actor, "@")[1])
description: |
'Detect activities when a pull request was created. This query runs every day and its severity is Medium.'
version: 1.0.1
tactics:
- InitialAccess
queryFrequency: 1d
query: |
GitHubAuditData
| where Action == "pull_request.create"
| project Actor, Action
| extend AccountName = tostring(split(Actor, "@")[0]), AccountUPNSuffix = tostring(split(Actor, "@")[1])
status: Available
triggerOperator: gt
kind: Scheduled
triggerThreshold: 0
relevantTechniques:
- T1078
id: 0b85a077-8ba5-4cb5-90f7-1e882afe10c7
queryPeriod: 7d
entityMappings:
- fieldMappings:
- identifier: FullName
columnName: Actor
- identifier: Name
columnName: AccountName
- identifier: UPNSuffix
columnName: AccountUPNSuffix
entityType: Account
severity: Medium
name: GitHub - pull request was created
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GitHub/Analytic Rules/GitHub - pull request was created.yaml
requiredDataConnectors: []
