Detection: Organization Application Uninstalled

Overview

Detect when an application integration was uninstalled from a GitHub organization. Removing an application may affect service dependencies, automation workflows, or security controls, potentially disrupting operations. Monitoring these removals helps ensure critical applications remain active and authorized changes are properly reviewed.

References:

Managing Installed GitHub Applications

Usage

Run the detection in your terminal:

powerpipe detection run github_audit_log_detections.detection.organization_application_uninstalled

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe detection run github_audit_log_detections.detection.organization_application_uninstalled --share

SQL

This detection uses a named query:

select
  tp_timestamp as timestamp,
action as operation,
additional_fields ->> 'integration' as resource,
actor,
tp_source_ip as source_ip,
tp_index as organization,
split_part(repo, '/', 2) as repository,
tp_id as source_id,
*
exclude (actor, timestamp)

from
  github_audit_log
where
  action = 'integration_installation.delete'
order by
  tp_timestamp desc;

Detection: Organization Application Uninstalled

Overview

Usage

SQL

Tags