Detection: Organization User Added

Overview

Detect when a user was added to a GitHub organization. Adding a new user may indicate a legitimate access provision or a potential unauthorized account being granted access. Monitoring these events helps ensure proper access controls and adherence to security policies.

References:

Inviting Users to Join Your Organization

Usage

Run the detection in your terminal:

powerpipe detection run github_audit_log_detections.detection.organization_user_added

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe detection run github_audit_log_detections.detection.organization_user_added --share

SQL

This detection uses a named query:

select
  tp_timestamp as timestamp,
action as operation,
concat('https://github.com/', user) as resource,
actor,
tp_source_ip as source_ip,
tp_index as organization,
split_part(repo, '/', 2) as repository,
tp_id as source_id,
*
exclude (actor, timestamp)

from
  github_audit_log
where
  action = 'org.add_member'
order by
  tp_timestamp desc;

Detection: Organization User Added

Overview

Usage

SQL

Tags