Powerpipe MCP Server →
Powerpipe Hub 
Hub
Mods
turbot/tailpipe-mod-github-audit-log-detections
Overview
3Dashboards
17Benchmarks
24Queries
1Variables
GitHub

Detection: Organization Ownership Transferred

Overview

Detect when an organization was transferred to a new owner. Transferring ownership may indicate a legitimate administrative change, but it could also be a sign of a takeover attempt or unauthorized privilege escalation. Monitoring these events ensures that ownership transfers are intentional and comply with security policies.

References:

Usage

Run the detection in your terminal:

powerpipe detection run github_audit_log_detections.detection.organization_ownership_transferred

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe detection run github_audit_log_detections.detection.organization_ownership_transferred --share

SQL

This detection uses a named query:

select
  tp_timestamp as timestamp,
action as operation,
concat('https://github.com/', org) as resource,
actor,
tp_source_ip as source_ip,
tp_index as organization,
split_part(repo, '/', 2) as repository,
tp_id as source_id,
*
exclude (actor, timestamp)


from
  github_audit_log
where
  action = 'org.transfer'
order by
  tp_timestamp desc;

Tags

category = Detections
folder = Organization
mitre_attack_ids = TA0003:T1098
plugin = github
service = GitHub/Organization