Azure-Sentinel/Hunting Queries/GitHub/Org Repositories Default Permissions Change.yaml

id: ec986fb7-34ed-4528-a5f3-a496e61d8860
name: GitHub Update Permissions
description: |
  'This hunting query identifies GitHub activites where permissions are updated that may be a sign of compromise.'  
requiredDataConnectors: []
tactics:
  - Persistence
  - DefenseEvasion
relevantTechniques:
  - T1098
  - T1562
query: |

  GitHubAudit
  | where Action == "org.update_default_repository_permission"
  | project TimeGenerated, Action, Actor, Country, Repository, PreviousPermission, CurrentPermission