GitHub - User was invited to the repository

GitHubAuditData 
| where Action == "org.invite_member"
| project Actor, Action
| extend Name = iif(Actor contains "@", split(Actor, "@")[0], Actor)
| extend UPNSuffix = iif(Actor contains "@", split(Actor, "@")[1], "")

requiredDataConnectors: []
relevantTechniques:
- T1078
triggerOperator: gt
version: 1.0.1
queryFrequency: 1d
severity: Medium
triggerThreshold: 0
entityMappings:
- fieldMappings:
  - columnName: Actor
    identifier: FullName
  - columnName: Name
    identifier: Name
  - columnName: UPNSuffix
    identifier: UPNSuffix
  entityType: Account
name: GitHub - User was invited to the repository
query: |
  GitHubAuditData 
  | where Action == "org.invite_member"
  | project Actor, Action
  | extend Name = iif(Actor contains "@", split(Actor, "@")[0], Actor)
  | extend UPNSuffix = iif(Actor contains "@", split(Actor, "@")[1], "")  
tactics:
- InitialAccess
queryPeriod: 7d
description: |
    'Detect activities when a user was invited to the repository. This query runs every day and its severity is Medium.'
kind: Scheduled
id: 0b85a077-8ba5-4cb5-90f7-1e882afe40c9
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GitHub/Analytic Rules/GitHub - User was invited to the repository.yaml
status: Available