GitHub - User was blocked

Back


Id	0b85a077-8ba5-4cb5-90f7-1e882afe10c8
Rulename	GitHub - User was blocked
Description	Detect activities when a user was blocked on the repository. This query runs every day and its severity is Medium.
Severity	Medium
Tactics	InitialAccess
Techniques	T1078
Kind	Scheduled
Query frequency	1d
Query period	7d
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GitHub/Analytic Rules/GitHub - User was blocked.yaml
Version	1.0.1
Arm template	0b85a077-8ba5-4cb5-90f7-1e882afe10c8.json

KQL

GitHubAuditData
| where Action == "org.block_user"
| project Actor, Action 
| extend Name = iif(Actor contains "@", split(Actor, "@")[0], Actor)
| extend UPNSuffix = iif(Actor contains "@", split(Actor, "@")[1], "")

YAML

query: |
  GitHubAuditData
  | where Action == "org.block_user"
  | project Actor, Action 
  | extend Name = iif(Actor contains "@", split(Actor, "@")[0], Actor)
  | extend UPNSuffix = iif(Actor contains "@", split(Actor, "@")[1], "")  
version: 1.0.1
triggerOperator: gt
relevantTechniques:
- T1078
requiredDataConnectors: []
kind: Scheduled
tactics:
- InitialAccess
triggerThreshold: 0
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: Actor
    identifier: FullName
  - columnName: Name
    identifier: Name
  - columnName: UPNSuffix
    identifier: UPNSuffix
description: |
    'Detect activities when a user was blocked on the repository. This query runs every day and its severity is Medium.'
queryFrequency: 1d
id: 0b85a077-8ba5-4cb5-90f7-1e882afe10c8
severity: Medium
status: Available
queryPeriod: 7d
name: GitHub - User was blocked
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GitHub/Analytic Rules/GitHub - User was blocked.yaml

ARM