Detection: OAuth App Authorization Created
Overview
Detect when a new OAuth App authorization is created in GitHub. While this may represent a legitimate integration with third-party services, it can also indicate that an attacker has authorized a malicious application to gain persistent access to repositories, issues, or organizational data. Monitoring these events helps ensure that only trusted applications are integrated with GitHub accounts and organizations.
References:
Usage
Run the detection in your terminal:
powerpipe detection run github_security_log_detections.detection.oauth_app_authorization_createdSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe detection run github_security_log_detections.detection.oauth_app_authorization_created --shareSQL
This detection uses a named query:
select tp_timestamp as timestamp,action as operation,concat('https://github.com/', user) as resource,actor,tp_source_ip as source_ip,tp_id as source_id,*exclude (actor, timestamp)
from github_security_logwhere action = 'oauth_authorization.create'order by tp_timestamp desc;