Detection: Account Password Changed

Overview

Detect when the password for a GitHub account is changed. Changing a password may be a legitimate account maintenance activity, but if done by an attacker, it can allow them to maintain persistent access or lock out the legitimate user. Monitoring these events is critical for identifying potential account compromises and protecting user access.

References:

Updating your GitHub access credentials

Usage

Run the detection in your terminal:

powerpipe detection run github_security_log_detections.detection.account_password_changed

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe detection run github_security_log_detections.detection.account_password_changed --share

SQL

This detection uses a named query:

select
  tp_timestamp as timestamp,
action as operation,
concat('https://github.com/', user) as resource,
actor,
tp_source_ip as source_ip,
tp_id as source_id,
*
exclude (actor, timestamp)

from
  github_security_log
where
  action = 'user.change_password'
order by
  tp_timestamp desc;

Detection: Account Password Changed

Overview

Usage

SQL

Tags