GitHubAuditData
| where Visibility != PreviousVisibility
| project Actor, PreviousVisibility, Visibility
| extend Name = iif(Actor contains "@", split(Actor, "@")[0], Actor)
| extend UPNSuffix = iif(Actor contains "@", split(Actor, "@")[1], "")
query: |
GitHubAuditData
| where Visibility != PreviousVisibility
| project Actor, PreviousVisibility, Visibility
| extend Name = iif(Actor contains "@", split(Actor, "@")[0], Actor)
| extend UPNSuffix = iif(Actor contains "@", split(Actor, "@")[1], "")
version: 1.0.1
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GitHub/Analytic Rules/(Preview) GitHub - User visibility Was changed.yaml
status: Available
description: |
'Detect activities when a user visibility Was changed. This query runs every day and its severity is Medium.'
queryFrequency: 1d
name: (Preview) GitHub - User visibility Was changed
kind: Scheduled
triggerThreshold: 0
id: 0b85a077-8ba5-4cb5-90f7-1e882afe20c9
requiredDataConnectors: []
severity: Medium
queryPeriod: 7d
entityMappings:
- fieldMappings:
- columnName: Actor
identifier: FullName
- columnName: Name
identifier: Name
- columnName: UPNSuffix
identifier: UPNSuffix
entityType: Account
relevantTechniques:
- T1078
tactics:
- InitialAccess
