Github Outside Collaborator Detected
Detects when an organization member or an outside collaborator is added to or removed from a project board or has their permission level changed or when an owner removes an outside collaborator from an organization or when two-factor authentication is required in an organization and an outside collaborator does not use 2FA or disables 2FA.
Sigma rule (View on GitHub)
1title: Github Outside Collaborator Detected
2id: eaa9ac35-1730-441f-9587-25767bde99d7
3status: test
4description: |
5 Detects when an organization member or an outside collaborator is added to or removed from a project board or has their permission level changed or when an owner removes an outside collaborator from an organization or when two-factor authentication is required in an organization and an outside collaborator does not use 2FA or disables 2FA.
6author: Muhammad Faisal (@faisalusuf)
7date: 2023/01/20
8references:
9 - https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#audit-log-actions
10 - https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization
11tags:
12 - attack.persistence
13 - attack.collection
14 - attack.t1098.001
15 - attack.t1098.003
16 - attack.t1213.003
17logsource:
18 product: github
19 service: audit
20 definition: 'Requirements: The audit log streaming feature must be enabled to be able to receive such logs. You can enable following the documentation here: https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-audit-log-streaming'
21detection:
22 selection:
23 action:
24 - 'org.remove_outside_collaborator'
25 - 'project.update_user_permission'
26 condition: selection
27falsepositives:
28 - Validate the actor if permitted to access the repo.
29 - Validate the Multifactor Authentication changes.
30level: medium
References
-
The audit log allows organization admins to quickly review the actions performed by members of your organization. It includes details such as who performed the action, what the action was, and when it was performed.
Read More -
Organization owners can require organization members, outside collaborators, and billing managers to enable two-factor authentication for their personal accounts, making it harder for malicious actors to access an organization's repositories and settings.
Read More
Related rules
- Github Self Hosted Runner Changes Detected
- Github Delete Action Invoked
- Bitbucket Full Data Export Triggered
- Bitbucket Unauthorized Full Data Export Triggered
- App Granted Privileged Delegated Or App Permissions