Detectioninformationaltest

New Github Organization Member Added

Detects when a new member is added or invited to a github organization.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Muhammad FaisalCreated Sun Jan 293908d64a-3c06-4091-b503-b3a94424533bapplication

Log Source

githubaudit

Productgithub← raw: github

Serviceaudit← raw: audit

Definition

Requirements: The audit log streaming feature must be enabled to be able to receive such logs. You can enable following the documentation here: https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-audit-log-streaming

Detection Logic

detection:
    selection:
        action:
            - 'org.add_member'
            - 'org.invite_member'
    condition: selection

False Positives

Organization approved new members

References

Resolving title…

docs.github.com

MITRE ATT&CK

Tactics

TA0003 · Persistence

Sub-techniques

T1136.003 · Cloud Account

Rule Metadata

Rule ID

3908d64a-3c06-4091-b503-b3a94424533b

Status

test

Level

informational

Type

Detection

Created

Sun Jan 29

Author

Muhammad Faisal

Path

rules/application/github/audit/github_new_org_member.yml

Raw Tags

attack.persistenceattack.t1136.003

View on GitHub