Skip to content

Commit 3e5b7ad

Browse files
committed
Updated the query for the, title, description based on the review comment
1 parent 02c3683 commit 3e5b7ad

File tree

2 files changed

+64
-70
lines changed

2 files changed

+64
-70
lines changed

docs/tables/github_audit_log/index.md

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -42,24 +42,24 @@ tailpipe collect github_audit_log.my_logs
4242

4343
## Query
4444

45-
**[Explore 15+ example queries for this table →](https://hub.tailpipe.io/plugins/turbot/github/queries/github_audit_log)**
45+
**[Explore 17+ example queries for this table →](https://hub.tailpipe.io/plugins/turbot/github/queries/github_audit_log)**
4646

4747
### Repositories made public
4848

4949
Track repositories that were made public to check for accidental visibility changes.
5050

5151
```sql
5252
select
53-
created_at,
53+
timestamp,
5454
actor,
55-
additional_fields ->> 'repo' as repo
55+
repo
5656
from
5757
github_audit_log
5858
where
5959
action = 'repo.access'
6060
and (additional_fields ->> 'visibility') = 'public'
6161
order by
62-
created_at desc;
62+
timestamp desc;
6363
```
6464

6565
### Branch protection overrides
@@ -70,7 +70,7 @@ Find instances where a branch protection requirement was overridden by a reposit
7070
select
7171
created_at,
7272
actor,
73-
additional_fields ->> 'repo' as repo,
73+
repo,
7474
additional_fields ->> 'branch' as branch,
7575
additional_fields ->> 'reasons' as reasons
7676
from

docs/tables/github_audit_log/queries.md

Lines changed: 59 additions & 65 deletions
Original file line numberDiff line numberDiff line change
@@ -40,6 +40,7 @@ List the top 10 pull request authors and how many pull requests they've created.
4040
```sql
4141
select
4242
actor,
43+
repo,
4344
count(*) as action_count
4445
from
4546
github_audit_log
@@ -73,33 +74,15 @@ group by
7374

7475
## GitHub Security Threat Detection Queries
7576

76-
### Frequent changes to security settings
77-
78-
Flags users who frequently modify security-related settings or secrets, potentially indicating suspicious activity.
79-
80-
```sql
81-
select
82-
actor,
83-
count(*) as setting_changes
84-
from
85-
github_audit_log
86-
where
87-
action in ('org.update_actions_settings', 'org.update_actions_secret')
88-
group by
89-
actor
90-
having
91-
setting_changes > 3;
92-
```
93-
9477
### Disabled security features
9578

9679
Tracks actions that disable critical security features, which may indicate potential security risks.
9780

9881
```sql
9982
select
83+
timestamp,
10084
actor,
10185
action,
102-
timestamp,
10386
repo
10487
from
10588
github_audit_log
@@ -128,33 +111,15 @@ having
128111
count(distinct tp_source_ip) > 5;
129112
```
130113

131-
### Frequent code deletion
132-
133-
Identifies users who frequently remove repository topics, which may impact project organization and discoverability.
134-
135-
```sql
136-
select
137-
actor,
138-
count(*) as code_deletions
139-
from
140-
github_audit_log
141-
where
142-
action = 'repo.remove_topic'
143-
group by
144-
actor
145-
having
146-
code_deletions > 3;
147-
```
148-
149114
### Vulnerability alerts disabled
150115

151116
Tracks instances where users disable vulnerability alerts, which may limit awareness of security issues.
152117

153118
```sql
154119
select
120+
timestamp,
155121
actor,
156122
actor_ip,
157-
timestamp,
158123
org
159124
from
160125
github_audit_log
@@ -170,14 +135,15 @@ Identifies users who modify IP allow lists, which can impact network access rest
170135

171136
```sql
172137
select
173-
actor,
174138
timestamp,
139+
actor,
175140
action,
176141
repo
177142
from
178143
github_audit_log
179144
where
180-
action in ('ip_allow_list_entry.create', 'ip_allow_list_entry.destroy');
145+
action in ('ip_allow_list_entry.create', 'ip_allow_list_entry.destroy')
146+
and actor_ip in ('192.0.2.146', '206.253.208.100');
181147
```
182148

183149
### Secret scanning disabled
@@ -186,11 +152,11 @@ Tracks instances where users disable secret scanning, reducing the ability to de
186152

187153
```sql
188154
select
155+
timestamp,
189156
actor,
190157
action,
191-
timestamp,
192-
additional_fields ->> 'public_repo' as public_repo,
193-
additional_fields ->> 'user_agent' as user_agent,
158+
additional_fields ->> 'public_repo' as public_repo,
159+
additional_fields ->> 'user_agent' as user_agent,
194160
from
195161
github_audit_log
196162
where
@@ -243,17 +209,41 @@ Identifies repository administrators who frequently override branch protection r
243209
```sql
244210
select
245211
actor,
212+
additional_fields ->> 'branch' as branch,
246213
count(*) as branch_protection_changes
247214
from
248215
github_audit_log
249216
where
250217
action = 'protected_branch.policy_override'
251218
group by
252-
actor
219+
actor,
220+
branch
253221
having
254222
branch_protection_changes > 3;
255223
```
256224

225+
## Baseline Examples
226+
227+
### Activity outside of normal hours
228+
229+
Flag activity occurring outside of standard working hours, e.g., activity bewteen 8 PM and 6 AM.
230+
231+
```sql
232+
select
233+
timestamp,
234+
action,
235+
actor,
236+
repo,
237+
operation_type
238+
from
239+
github_audit_log
240+
where
241+
cast(strftime(timestamp, '%H') as integer) >= 20 -- 8 PM
242+
or cast(strftime(timestamp, '%H') as integer) < 6 -- 6 AM
243+
order by
244+
timestamp desc;
245+
```
246+
257247
## Operational Examples
258248

259249
### Issue comment updated or deleted by bot
@@ -262,12 +252,12 @@ Identifies issue comments that were updated or deleted by a bot, helping track a
262252

263253
```sql
264254
select
255+
timestamp,
265256
actor,
266257
action,
267-
timestamp,
268258
repo as repository,
259+
operation_type,
269260
(additional_fields ->> 'programmatic_access_type') as programmatic_access_type,
270-
(additional_fields ->> 'operation_type') as operation_type,
271261
(additional_fields ->> 'actor_is_bot') as actor_is_bot
272262
from
273263
github_audit_log
@@ -282,10 +272,10 @@ Tracks modifications to the workflow execution settings, including restricting w
282272

283273
```sql
284274
select
285-
actor,
286275
timestamp,
276+
actor,
287277
repo,
288-
(additional_fields ->> 'operation_type') as operation_type,
278+
operation_type,
289279
(additional_fields ->> 'public_repo') as is_public_repo,
290280
created_at
291281
from
@@ -296,35 +286,39 @@ order by
296286
created_at desc;
297287
```
298288

299-
### Most recent pull request reviews
289+
### List Organization Membership Changes
300290

301-
Retrieves pull request reviews submitted in the last two days.
291+
Monitor users being added or removed from an organization.
302292

303293
```sql
304294
select
305-
actor,
306295
timestamp,
307-
(additional_fields ->> 'pull_request_title') as pull_request_title,
308-
(additional_fields ->> 'pull_request_url') as pull_request_url
296+
actor,
297+
action,
298+
user
309299
from
310-
github_audit_log
311-
where
312-
action = 'pull_request_review.submit'
313-
and timestamp >= cast(current_timestamp as timestamp) - interval '2 days';
300+
github_audit_log
301+
where
302+
action in ('org.add_member', 'org.remove_member')
303+
order by
304+
timestamp desc;
314305
```
315306

316-
### Advanced security disabled in repositories
307+
### Monitor Team and Role Assignments
317308

318-
Identifies instances where advanced security features were disabled for a repository.
309+
Identify when users are added or removed from teams.
319310

320311
```sql
321312
select
322-
actor,
323-
actor_ip,
324313
timestamp,
325-
repo
314+
actor,
315+
action,
316+
user,
317+
additional_fields ->> 'team' as team_name
326318
from
327-
github_audit_log
328-
where
329-
action = 'repo.advanced_security_disabled';
319+
github_audit_log
320+
where
321+
action in ('team.add_member', 'team.remove_member')
322+
order by
323+
timestamp desc;
330324
```

0 commit comments

Comments
 (0)