Azure-Sentinel/Hunting Queries/GitHub/Inactive or New Account Usa...

id: b8508e24-47a6-4f8e-9066-3cc937197e7f
name: GitHub Inactive or New Account Access or Usage
description: |
  'This hunting query identifies Accounts that are new or inactive and have accessed or used GitHub that may be a sign of compromise.'
requiredDataConnectors: []
tactics:
  - Persistence
relevantTechniques:
  - T1136
query: |

  let starttime = todatetime('{{StartTimeISO}}');
  let endtime = todatetime('{{EndTimeISO}}');
  let LearningPeriod = 7d;
  let EndLearningTime = starttime - LearningPeriod;
  let GitHubActorLogin = (GitHubAudit
  | where Actor != "");
  let GitHubUser = (GitHubAudit
  | where ImpactedUser != "");
  let GitHubNewActorLogin = (GitHubActorLogin
  | where TimeGenerated between (EndLearningTime .. starttime)
  | summarize makeset(Actor)
  | extend Dummy = 1
  | join kind=innerunique (
    GitHubActorLogin
    | where TimeGenerated between (starttime .. endtime)
    | distinct Actor
    | extend Dummy = 1
  ) on Dummy
  | project-away Dummy
  | where set_Actor  !contains Actor);
  let GitHubNewUser = ( GitHubUser
  | where TimeGenerated between (EndLearningTime .. starttime)
  | summarize makeset(ImpactedUser)
  | extend Dummy = 1
  | join kind=innerunique (
    GitHubUser
    | where TimeGenerated between (startime .. endtime)
    | distinct ImpactedUser
    | extend Dummy = 1
  ) on Dummy
  | project-away Dummy
  | where set_ImpactedUser !contains ImpactedUser);
  union GitHubNewActorLogin, GitHubNewUser
Initial 2020-06-02 17:50:39 +03:00			`id: b8508e24-47a6-4f8e-9066-3cc937197e7f`
			`name: GitHub Inactive or New Account Access or Usage`
			`description: \|`
			`'This hunting query identifies Accounts that are new or inactive and have accessed or used GitHub that may be a sign of compromise.'`
updated empty connector, moved Teams queries into OfficeActivity, updated some entity mappings 2021-02-05 02:31:02 +03:00			`requiredDataConnectors: []`
Initial 2020-06-02 17:50:39 +03:00			`tactics:`
			`- Persistence`
			`relevantTechniques:`
			`- T1136`
			`query: \|`

ASimProcess to LAQUeryLogs 2021-07-31 02:06:59 +03:00			`let starttime = todatetime('{{StartTimeISO}}');`
			`let endtime = todatetime('{{EndTimeISO}}');`
Initial 2020-06-02 17:50:39 +03:00			`let LearningPeriod = 7d;`
ASimProcess to LAQUeryLogs 2021-07-31 02:06:59 +03:00			`let EndLearningTime = starttime - LearningPeriod;`
more fixes 2020-06-10 05:01:38 +03:00			`let GitHubActorLogin = (GitHubAudit`
			`\| where Actor != "");`
			`let GitHubUser = (GitHubAudit`
			`\| where ImpactedUser != "");`
fixing queries 2020-06-02 22:41:31 +03:00			`let GitHubNewActorLogin = (GitHubActorLogin`
ASimProcess to LAQUeryLogs 2021-07-31 02:06:59 +03:00			`\| where TimeGenerated between (EndLearningTime .. starttime)`
more fixes 2020-06-10 05:01:38 +03:00			`\| summarize makeset(Actor)`
Initial 2020-06-02 17:50:39 +03:00			`\| extend Dummy = 1`
			`\| join kind=innerunique (`
			`GitHubActorLogin`
ASimProcess to LAQUeryLogs 2021-07-31 02:06:59 +03:00			`\| where TimeGenerated between (starttime .. endtime)`
more fixes 2020-06-10 05:01:38 +03:00			`\| distinct Actor`
Initial 2020-06-02 17:50:39 +03:00			`\| extend Dummy = 1`
			`) on Dummy`
			`\| project-away Dummy`
more fixes 2020-06-10 05:01:38 +03:00			`\| where set_Actor !contains Actor);`
fixing queries 2020-06-02 22:41:31 +03:00			`let GitHubNewUser = ( GitHubUser`
ASimProcess to LAQUeryLogs 2021-07-31 02:06:59 +03:00			`\| where TimeGenerated between (EndLearningTime .. starttime)`
more fixes 2020-06-10 05:01:38 +03:00			`\| summarize makeset(ImpactedUser)`
Initial 2020-06-02 17:50:39 +03:00			`\| extend Dummy = 1`
			`\| join kind=innerunique (`
			`GitHubUser`
ASimProcess to LAQUeryLogs 2021-07-31 02:06:59 +03:00			`\| where TimeGenerated between (startime .. endtime)`
more fixes 2020-06-10 05:01:38 +03:00			`\| distinct ImpactedUser`
Initial 2020-06-02 17:50:39 +03:00			`\| extend Dummy = 1`
			`) on Dummy`
			`\| project-away Dummy`
more fixes 2020-06-10 05:01:38 +03:00			`\| where set_ImpactedUser !contains ImpactedUser);`
Initial 2020-06-02 17:50:39 +03:00			`union GitHubNewActorLogin, GitHubNewUser`