Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/tailpipe-mod-github-security-log-detections
Overview
3Dashboards
14Benchmarks
20Queries
1Variables
GitHub

Detection: Login from Unrecognized Device

Overview

Detect when a GitHub account is accessed from a new or unrecognized device. While this may represent a legitimate action by a user logging in from a new laptop or browser, it can also indicate that an attacker is attempting to gain access from a previously unseen device. Monitoring these events helps identify suspicious account activity and potential compromise.

References:

Usage

Run the detection in your terminal:

powerpipe detection run github_security_log_detections.detection.login_from_unrecognized_device

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe detection run github_security_log_detections.detection.login_from_unrecognized_device --share

SQL

This detection uses a named query:

select
  tp_timestamp as timestamp,
action as operation,
concat('https://github.com/', user) as resource,
actor,
tp_source_ip as source_ip,
tp_id as source_id,
*
exclude (actor, timestamp)


from
  github_security_log
where
  action = 'user.login_from_unrecognized_device'
order by
  tp_timestamp desc;

Tags

category = Detections
folder = Authentication
mitre_attack_ids = TA0001:T1078.004
plugin = github
service = GitHub/Authentication