@@ -40,6 +40,7 @@ List the top 10 pull request authors and how many pull requests they've created.
40
40
``` sql
41
41
select
42
42
actor,
43
+ repo,
43
44
count (* ) as action_count
44
45
from
45
46
github_audit_log
@@ -73,33 +74,15 @@ group by
73
74
74
75
## GitHub Security Threat Detection Queries
75
76
76
- ### Frequent changes to security settings
77
-
78
- Flags users who frequently modify security-related settings or secrets, potentially indicating suspicious activity.
79
-
80
- ``` sql
81
- select
82
- actor,
83
- count (* ) as setting_changes
84
- from
85
- github_audit_log
86
- where
87
- action in (' org.update_actions_settings' , ' org.update_actions_secret' )
88
- group by
89
- actor
90
- having
91
- setting_changes > 3 ;
92
- ```
93
-
94
77
### Disabled security features
95
78
96
79
Tracks actions that disable critical security features, which may indicate potential security risks.
97
80
98
81
``` sql
99
82
select
83
+ timestamp ,
100
84
actor,
101
85
action,
102
- timestamp ,
103
86
repo
104
87
from
105
88
github_audit_log
@@ -128,33 +111,15 @@ having
128
111
count (distinct tp_source_ip) > 5 ;
129
112
```
130
113
131
- ### Frequent code deletion
132
-
133
- Identifies users who frequently remove repository topics, which may impact project organization and discoverability.
134
-
135
- ``` sql
136
- select
137
- actor,
138
- count (* ) as code_deletions
139
- from
140
- github_audit_log
141
- where
142
- action = ' repo.remove_topic'
143
- group by
144
- actor
145
- having
146
- code_deletions > 3 ;
147
- ```
148
-
149
114
### Vulnerability alerts disabled
150
115
151
116
Tracks instances where users disable vulnerability alerts, which may limit awareness of security issues.
152
117
153
118
``` sql
154
119
select
120
+ timestamp ,
155
121
actor,
156
122
actor_ip,
157
- timestamp ,
158
123
org
159
124
from
160
125
github_audit_log
@@ -170,14 +135,15 @@ Identifies users who modify IP allow lists, which can impact network access rest
170
135
171
136
``` sql
172
137
select
173
- actor,
174
138
timestamp ,
139
+ actor,
175
140
action,
176
141
repo
177
142
from
178
143
github_audit_log
179
144
where
180
- action in (' ip_allow_list_entry.create' , ' ip_allow_list_entry.destroy' );
145
+ action in (' ip_allow_list_entry.create' , ' ip_allow_list_entry.destroy' )
146
+ and actor_ip in (' 192.0.2.146' , ' 206.253.208.100' );
181
147
```
182
148
183
149
### Secret scanning disabled
@@ -186,11 +152,11 @@ Tracks instances where users disable secret scanning, reducing the ability to de
186
152
187
153
``` sql
188
154
select
155
+ timestamp ,
189
156
actor,
190
157
action,
191
- timestamp ,
192
- additional_fields - >> ' public_repo' as public_repo,
193
- additional_fields - >> ' user_agent' as user_agent,
158
+ additional_fields - >> ' public_repo' as public_repo,
159
+ additional_fields - >> ' user_agent' as user_agent,
194
160
from
195
161
github_audit_log
196
162
where
@@ -243,17 +209,41 @@ Identifies repository administrators who frequently override branch protection r
243
209
``` sql
244
210
select
245
211
actor,
212
+ additional_fields - >> ' branch' as branch,
246
213
count (* ) as branch_protection_changes
247
214
from
248
215
github_audit_log
249
216
where
250
217
action = ' protected_branch.policy_override'
251
218
group by
252
- actor
219
+ actor,
220
+ branch
253
221
having
254
222
branch_protection_changes > 3 ;
255
223
```
256
224
225
+ ## Baseline Examples
226
+
227
+ ### Activity outside of normal hours
228
+
229
+ Flag activity occurring outside of standard working hours, e.g., activity bewteen 8 PM and 6 AM.
230
+
231
+ ``` sql
232
+ select
233
+ timestamp ,
234
+ action,
235
+ actor,
236
+ repo,
237
+ operation_type
238
+ from
239
+ github_audit_log
240
+ where
241
+ cast(strftime(timestamp , ' %H' ) as integer ) >= 20 -- 8 PM
242
+ or cast(strftime(timestamp , ' %H' ) as integer ) < 6 -- 6 AM
243
+ order by
244
+ timestamp desc ;
245
+ ```
246
+
257
247
## Operational Examples
258
248
259
249
### Issue comment updated or deleted by bot
@@ -262,12 +252,12 @@ Identifies issue comments that were updated or deleted by a bot, helping track a
262
252
263
253
``` sql
264
254
select
255
+ timestamp ,
265
256
actor,
266
257
action,
267
- timestamp ,
268
258
repo as repository,
259
+ operation_type,
269
260
(additional_fields - >> ' programmatic_access_type' ) as programmatic_access_type,
270
- (additional_fields - >> ' operation_type' ) as operation_type,
271
261
(additional_fields - >> ' actor_is_bot' ) as actor_is_bot
272
262
from
273
263
github_audit_log
@@ -282,10 +272,10 @@ Tracks modifications to the workflow execution settings, including restricting w
282
272
283
273
``` sql
284
274
select
285
- actor,
286
275
timestamp ,
276
+ actor,
287
277
repo,
288
- (additional_fields - >> ' operation_type ' ) as operation_type,
278
+ operation_type,
289
279
(additional_fields - >> ' public_repo' ) as is_public_repo,
290
280
created_at
291
281
from
@@ -296,35 +286,39 @@ order by
296
286
created_at desc ;
297
287
```
298
288
299
- ### Most recent pull request reviews
289
+ ### List Organization Membership Changes
300
290
301
- Retrieves pull request reviews submitted in the last two days .
291
+ Monitor users being added or removed from an organization .
302
292
303
293
``` sql
304
294
select
305
- actor,
306
295
timestamp ,
307
- (additional_fields - >> ' pull_request_title' ) as pull_request_title,
308
- (additional_fields - >> ' pull_request_url' ) as pull_request_url
296
+ actor,
297
+ action,
298
+ user
309
299
from
310
- github_audit_log
311
- where
312
- action = ' pull_request_review.submit'
313
- and timestamp >= cast(current_timestamp as timestamp ) - interval ' 2 days' ;
300
+ github_audit_log
301
+ where
302
+ action in (' org.add_member' , ' org.remove_member' )
303
+ order by
304
+ timestamp desc ;
314
305
```
315
306
316
- ### Advanced security disabled in repositories
307
+ ### Monitor Team and Role Assignments
317
308
318
- Identifies instances where advanced security features were disabled for a repository .
309
+ Identify when users are added or removed from teams .
319
310
320
311
``` sql
321
312
select
322
- actor,
323
- actor_ip,
324
313
timestamp ,
325
- repo
314
+ actor,
315
+ action,
316
+ user,
317
+ additional_fields - >> ' team' as team_name
326
318
from
327
- github_audit_log
328
- where
329
- action = ' repo.advanced_security_disabled' ;
319
+ github_audit_log
320
+ where
321
+ action in (' team.add_member' , ' team.remove_member' )
322
+ order by
323
+ timestamp desc ;
330
324
```
0 commit comments