Preview GitHub - User was invited to the repository

Back


Id	0b85a077-8ba5-4cb5-90f7-1e882afe40c9
Rulename	(Preview) GitHub - User was invited to the repository
Description	Detect activities when a user was invited to the repository. This query runs every day and its severity is Medium.
Severity	Medium
Tactics	InitialAccess
Techniques	T1078
Kind	Scheduled
Query frequency	1d
Query period	7d
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GitHub/Analytic Rules/(Preview) GitHub - User was invited to the repository.yaml
Version	1.0.1
Arm template	0b85a077-8ba5-4cb5-90f7-1e882afe40c9.json

KQL

GitHubAuditData 
| where Action == "org.invite_member"
| project Actor, Action
| extend Name = iif(Actor contains "@", split(Actor, "@")[0], Actor)
| extend UPNSuffix = iif(Actor contains "@", split(Actor, "@")[1], "")

YAML

description: |
    'Detect activities when a user was invited to the repository. This query runs every day and its severity is Medium.'
version: 1.0.1
triggerThreshold: 0
tactics:
- InitialAccess
queryPeriod: 7d
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GitHub/Analytic Rules/(Preview) GitHub - User was invited to the repository.yaml
triggerOperator: gt
status: Available
id: 0b85a077-8ba5-4cb5-90f7-1e882afe40c9
name: (Preview) GitHub - User was invited to the repository
queryFrequency: 1d
severity: Medium
kind: Scheduled
entityMappings:
- fieldMappings:
  - columnName: Actor
    identifier: FullName
  - columnName: Name
    identifier: Name
  - columnName: UPNSuffix
    identifier: UPNSuffix
  entityType: Account
relevantTechniques:
- T1078
query: |
  GitHubAuditData 
  | where Action == "org.invite_member"
  | project Actor, Action
  | extend Name = iif(Actor contains "@", split(Actor, "@")[0], Actor)
  | extend UPNSuffix = iif(Actor contains "@", split(Actor, "@")[1], "")  
requiredDataConnectors: []

ARM