New Github Organization Member Added
Detects when a new member is added or invited to a github organization.
Sigma rule (View on GitHub)
1title: New Github Organization Member Added
2id: 3908d64a-3c06-4091-b503-b3a94424533b
3status: test
4description: Detects when a new member is added or invited to a github organization.
5author: Muhammad Faisal (@faisalusuf)
6date: 2023-01-29
7references:
8 - https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#dependabot_alerts-category-actions
9tags:
10 - attack.persistence
11 - attack.t1136.003
12logsource:
13 product: github
14 service: audit
15 definition: 'Requirements: The audit log streaming feature must be enabled to be able to receive such logs. You can enable following the documentation here: https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-audit-log-streaming'
16detection:
17 selection:
18 action:
19 - 'org.add_member'
20 - 'org.invite_member'
21 condition: selection
22falsepositives:
23 - Organization approved new members
24level: informational
References
-
The audit log allows organization admins to quickly review the actions performed by members of your organization. It includes details such as who performed the action, what the action was, and when it was performed.
Read More
Related rules
- AWS ElastiCache Security Group Created
- New Federated Domain Added
- New Federated Domain Added - Exchange
- A Member Was Added to a Security-Enabled Global Group
- A Member Was Removed From a Security-Enabled Global Group