Detection: Organization IP Allow List Entry Updated

Overview

Detect when changes were made to an organization's IP allow list entry. Modifying the IP allow list may indicate unauthorized network access changes or attempts to bypass security policies. Monitoring these updates helps enforce access control restrictions and prevent potential security risks.

References:

Restricting Network Traffic to Your Enterprise With an IP Allow List

Usage

Run the detection in your terminal:

powerpipe detection run github_audit_log_detections.detection.organization_ip_allow_list_entry_updated

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe detection run github_audit_log_detections.detection.organization_ip_allow_list_entry_updated --share

SQL

This detection uses a named query:

select
  tp_timestamp as timestamp,
action as operation,
concat('https://github.com/', org) as resource,
actor,
tp_source_ip as source_ip,
tp_index as organization,
split_part(repo, '/', 2) as repository,
tp_id as source_id,
*
exclude (actor, timestamp)

from
  github_audit_log
where
  action in (
    'ip_allow_list_entry.create',
    'ip_allow_list_entry.destroy',
    'ip_allow_list_entry.update'
  )
order by
  tp_timestamp desc;

Detection: Organization IP Allow List Entry Updated

Overview

Usage

SQL

Tags