Detection: OAuth App Authorization Destroyed

Overview

Detect when an OAuth App authorization is deleted in GitHub. While this may represent legitimate cleanup of unused applications, attackers may also remove authorizations to cover their tracks, disrupt security monitoring, or disable trusted integrations. Monitoring these events helps ensure visibility into changes to application access and detect potential attempts at defense evasion.

References:

Authorizing OAuth apps

Usage

Run the detection in your terminal:

powerpipe detection run github_security_log_detections.detection.oauth_app_authorization_destroyed

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe detection run github_security_log_detections.detection.oauth_app_authorization_destroyed --share

SQL

This detection uses a named query:

select
  tp_timestamp as timestamp,
action as operation,
concat('https://github.com/', user) as resource,
actor,
tp_source_ip as source_ip,
tp_id as source_id,
*
exclude (actor, timestamp)

from
  github_security_log
where
  action = 'oauth_authorization.destroy'
order by
  tp_timestamp desc;

Detection: OAuth App Authorization Destroyed

Overview

Usage

SQL

Tags