Detection: Organization User Removed

Overview

Detect when a user was removed from a GitHub organization. Removing a user may indicate a legitimate access revocation or an unauthorized removal. Monitoring these events helps ensure that access controls are properly enforced and align with security policies.

References:

Removing a Member From Your Organization

Usage

Run the detection in your terminal:

powerpipe detection run github_audit_log_detections.detection.organization_user_removed

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe detection run github_audit_log_detections.detection.organization_user_removed --share

SQL

This detection uses a named query:

select
  tp_timestamp as timestamp,
  action as operation,
  concat('https://github.com/', user) as resource,
  actor,
  tp_source_ip as source_ip,
  tp_index as organization,
  split_part(repo, '/', 2) as repository,
  tp_id as source_id,
  * exclude (actor, timestamp)
from
  github_audit_log
where
  action = 'org.remove_member'
order by
  tp_timestamp desc;

Detection: Organization User Removed

Overview

Usage

SQL

Tags