GitHub - User visibility Was changed

Back


Id	0b85a077-8ba5-4cb5-90f7-1e882afe20c9
Rulename	GitHub - User visibility Was changed
Description	Detect activities when a user visibility Was changed. This query runs every day and its severity is Medium.
Severity	Medium
Tactics	InitialAccess
Techniques	T1078
Kind	Scheduled
Query frequency	1d
Query period	7d
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GitHub/Analytic Rules/GitHub - User visibility Was changed.yaml
Version	1.0.1
Arm template	0b85a077-8ba5-4cb5-90f7-1e882afe20c9.json

KQL

GitHubAuditData
| where Visibility != PreviousVisibility
| project Actor, PreviousVisibility, Visibility
| extend Name = iif(Actor contains "@", split(Actor, "@")[0], Actor)
| extend UPNSuffix = iif(Actor contains "@", split(Actor, "@")[1], "")

YAML

OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GitHub/Analytic Rules/GitHub - User visibility Was changed.yaml
queryFrequency: 1d
name: GitHub - User visibility Was changed
severity: Medium
triggerThreshold: 0
query: |
  GitHubAuditData
  | where Visibility != PreviousVisibility
  | project Actor, PreviousVisibility, Visibility
  | extend Name = iif(Actor contains "@", split(Actor, "@")[0], Actor)
  | extend UPNSuffix = iif(Actor contains "@", split(Actor, "@")[1], "")  
requiredDataConnectors: []
relevantTechniques:
- T1078
status: Available
triggerOperator: gt
queryPeriod: 7d
description: |
    'Detect activities when a user visibility Was changed. This query runs every day and its severity is Medium.'
id: 0b85a077-8ba5-4cb5-90f7-1e882afe20c9
version: 1.0.1
entityMappings:
- fieldMappings:
  - columnName: Actor
    identifier: FullName
  - columnName: Name
    identifier: Name
  - columnName: UPNSuffix
    identifier: UPNSuffix
  entityType: Account
kind: Scheduled
tactics:
- InitialAccess

ARM