Azure-Sentinel/Hunting Queries/GitHub/Oauth App Restrictions Disabled.yaml

id: 667e6a70-adc9-49b7-9cf3-f21927c71959
name: GitHub OAuth App Restrictions Disabled
description: |
  'This hunting query identifies GitHub OAuth Apps that have restrictions disabled that may be a sign of compromise. Attacker will want to disable such security tools in order to go undetected. '  
requiredDataConnectors: []
tactics:
  - Persistence
  - DefenseEvasion
relevantTechniques:
  - T1505
  - T1562
query: |

  GitHubAudit
  | where Action == "org.disable_oauth_app_restrictions"
  | project TimeGenerated, Action, Actor, Country