Detection: Organization Moderator Added
Overview
Detect when a user was added as a moderator in an organization. Assigning moderator privileges may grant additional administrative capabilities, potentially impacting repository and organization settings. Monitoring these changes helps ensure that privilege escalations are intentional and align with security policies.
References:
Usage
Run the detection in your terminal:
powerpipe detection run github_audit_log_detections.detection.organization_moderator_addedSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe detection run github_audit_log_detections.detection.organization_moderator_added --shareSQL
This detection uses a named query:
select tp_timestamp as timestamp,action as operation,concat('https://github.com/', user) as resource,actor,tp_source_ip as source_ip,tp_index as organization,split_part(repo, '/', 2) as repository,tp_id as source_id,*exclude (actor, timestamp)
from github_audit_logwhere action = 'organization_moderators.add_user'order by tp_timestamp desc;