Azure-Sentinel/Hunting Queries/GitHub/Org Repositories Default Pe...

id: ec986fb7-34ed-4528-a5f3-a496e61d8860
name: GitHub Update Permissions
description: |
  'This hunting query identifies GitHub activites where permissions are updated that may be a sign of compromise.'
requiredDataConnectors: []
tactics:
  - Persistence
  - DefenseEvasion
relevantTechniques:
  - T1098
  - T1562
query: |

  GitHubAudit
  | where Action == "org.update_default_repository_permission"
  | project TimeGenerated, Action, Actor, Country, Repository, PreviousPermission, CurrentPermission
Initial 2020-06-02 17:50:39 +03:00			`id: ec986fb7-34ed-4528-a5f3-a496e61d8860`
			`name: GitHub Update Permissions`
			`description: \|`
			`'This hunting query identifies GitHub activites where permissions are updated that may be a sign of compromise.'`
updated empty connector, moved Teams queries into OfficeActivity, updated some entity mappings 2021-02-05 02:31:02 +03:00			`requiredDataConnectors: []`
Initial 2020-06-02 17:50:39 +03:00			`tactics:`
			`- Persistence`
removed whitespaces from Defense Evasion 2020-07-28 22:04:51 +03:00			`- DefenseEvasion`
Initial 2020-06-02 17:50:39 +03:00			`relevantTechniques:`
			`- T1098`
Removed the deprecated MITRE techniques from hunting and detection queries and updating them with the latest ones that seem most appropriate. TechniqueId TechniqueName New T1483 Domain Generation Algorithms T1568 T1064 Scripting T1059 T1043 Commonly Used Port T1071 T1065 Uncommonly Used Port T1571 T1100 Web Shell T1505 T1089 Disabling Security Tools T1562 T1035 Service Execution ( Removed totally T1035 without replacement) T1109 Component Firmware T1542 T10178 T1078 2021-08-12 20:58:18 +03:00			`- T1562`
Initial 2020-06-02 17:50:39 +03:00			`query: \|`

more fixes 2020-06-10 05:01:38 +03:00			`GitHubAudit`
			`\| where Action == "org.update_default_repository_permission"`
			`\| project TimeGenerated, Action, Actor, Country, Repository, PreviousPermission, CurrentPermission`