GitHub-org

25 operations, identified by action in the audit log.

action	Description
org.add_member	A user joined an organization.
org.advanced_security_disabled_for_new_repos	GitHub Advanced Security was disabled for new repositories in an organization.
org.advanced_security_disabled_on_all_repos	GitHub Advanced Security was disabled for all repositories in an organization.
org.advanced_security_policy_selected_member_disabled	An enterprise owner prevented GitHub Advanced Security features from being enabled for repositories owned by the organization.
org.block_user	An organization owner blocked a user from accessing the organization's repositories.
org.create_actions_secret	A GitHub Actions secret was created for an organization.
org.disable_oauth_app_restrictions	Third-party application access restrictions for an organization were disabled.
org.disable_two_factor_requirement	A two-factor authentication requirement was disabled for the organization.
org.invite_member	A new user was invited to join an organization.
org.register_self_hosted_runner	A new self-hosted runner was registered.
org.remove_member	A member was removed from an organization, either manually or due to a two-factor authentication requirement.
org.remove_outside_collaborator	An outside collaborator was removed from an organization, either manually or due to a two-factor authentication requirement.
org.remove_self_hosted_runner	A self-hosted runner was removed.
org.runner_group_created	A self-hosted runner group was created.
org.runner_group_removed	A self-hosted runner group was removed.
org.runner_group_runner_removed	The REST API was used to remove a self-hosted runner from a group.
org.runner_group_runners_added	A self-hosted runner was added to a group.
org.runner_group_runners_updated	A runner group's list of members was updated.
org.runner_group_updated	The configuration of a self-hosted runner group was changed.
org.secret_scanning_custom_pattern_push_protection_disabled	Push protection for a custom pattern for secret scanning was disabled for an organization.
org.secret_scanning_push_protection_disable	Push protection for secret scanning was disabled.
org.secret_scanning_push_protection_new_repos_disable	Push protection for secret scanning was disabled for all new repositories in the organization.
org.transfer	An organization was transferred between enterprise accounts.
org.transfer_outgoing	An organization was transferred between enterprise accounts.
org.update_member	A person's role was changed from owner to member or member to owner.

org.add_member

Category: GitHub-org

Description

A user joined an organization.

Fields #

Name	Description
`action`	The audit-log action string (e.g. repo.create).
`actor`	Login of the user (or app) that performed the action.
`actor_id`	Numeric ID of the actor.
`user`	Login of the user the action targeted, when applicable.
`org`	Organization in which the action occurred.
`repo`	Repository the action targeted (owner/name), when applicable.
`business`	Enterprise account, when the org belongs to one.
`@timestamp`	Time the event was recorded (epoch ms).
`created_at`	Time the action occurred (epoch ms).
`operation_type`	Operation class: create, modify, remove, access, transfer, authentication.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`EventType`	eq	`org.add_member`	2 rules	elastic
`action`	eq	`org.add_member`	1 rule	panther, sigma
`github.permission`	eq	`admin`	1 rule	elastic

Detection Rules #

View all rules referencing this event →

Sigma #

New Github Organization Member Added source informational: Detects when a new member is added or invited to a github organization.↳ also matches org.invite_member

Elastic #

New GitHub Owner Added source medium: Detects when a new member is added to a GitHub organization as an owner. This role provides admin level privileges. Any new owner roles should be investigated to determine it's validity. Unauthorized owner roles could indicate compromise within your organization and provide unlimited access to data and settings.
New User Added To GitHub Organization source low: A new user was added to a GitHub organization.

Kusto #

GitHub - User was added to the organization source medium: Detect activities when a user was added to the organization. This query runs every day and its severity is Medium.

org.advanced_security_disabled_for_new_repos

Category: GitHub-org

Description

GitHub Advanced Security was disabled for new repositories in an organization.

Fields #

Name	Description
`action`	The audit-log action string (e.g. repo.create).
`actor`	Login of the user (or app) that performed the action.
`actor_id`	Numeric ID of the actor.
`user`	Login of the user the action targeted, when applicable.
`org`	Organization in which the action occurred.
`repo`	Repository the action targeted (owner/name), when applicable.
`business`	Enterprise account, when the org belongs to one.
`@timestamp`	Time the event was recorded (epoch ms).
`created_at`	Time the action occurred (epoch ms).
`operation_type`	Operation class: create, modify, remove, access, transfer, authentication.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`action`	eq	`org.disable_two_factor_requirement`	1 rule	sigma, splunk

Detection Rules #

View all rules referencing this event →

Sigma #

Github High Risk Configuration Disabled source high: Detects when a user disables a critical security feature for an organization.↳ also matches org.advanced_security_disabled_on_all_repos, org.advanced_security_policy_selected_member_disabled, org.disable_oauth_app_restrictions, org.disable_two_factor_requirement

org.advanced_security_disabled_on_all_repos

Category: GitHub-org

Description

GitHub Advanced Security was disabled for all repositories in an organization.

Fields #

Name	Description
`action`	The audit-log action string (e.g. repo.create).
`actor`	Login of the user (or app) that performed the action.
`actor_id`	Numeric ID of the actor.
`user`	Login of the user the action targeted, when applicable.
`org`	Organization in which the action occurred.
`repo`	Repository the action targeted (owner/name), when applicable.
`business`	Enterprise account, when the org belongs to one.
`@timestamp`	Time the event was recorded (epoch ms).
`created_at`	Time the action occurred (epoch ms).
`operation_type`	Operation class: create, modify, remove, access, transfer, authentication.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`action`	eq	`org.disable_two_factor_requirement`	1 rule	sigma, splunk

Detection Rules #

View all rules referencing this event →

Sigma #

Github High Risk Configuration Disabled source high: Detects when a user disables a critical security feature for an organization.↳ also matches org.advanced_security_disabled_for_new_repos, org.advanced_security_policy_selected_member_disabled, org.disable_oauth_app_restrictions, org.disable_two_factor_requirement

org.advanced_security_policy_selected_member_disabled

Category: GitHub-org

Description

An enterprise owner prevented GitHub Advanced Security features from being enabled for repositories owned by the organization.

Fields #

Name	Description
`action`	The audit-log action string (e.g. repo.create).
`actor`	Login of the user (or app) that performed the action.
`actor_id`	Numeric ID of the actor.
`user`	Login of the user the action targeted, when applicable.
`org`	Organization in which the action occurred.
`repo`	Repository the action targeted (owner/name), when applicable.
`business`	Enterprise account, when the org belongs to one.
`@timestamp`	Time the event was recorded (epoch ms).
`created_at`	Time the action occurred (epoch ms).
`operation_type`	Operation class: create, modify, remove, access, transfer, authentication.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`action`	eq	`org.disable_two_factor_requirement`	1 rule	sigma, splunk

Detection Rules #

View all rules referencing this event →

Sigma #

Github High Risk Configuration Disabled source high: Detects when a user disables a critical security feature for an organization.↳ also matches org.advanced_security_disabled_for_new_repos, org.advanced_security_disabled_on_all_repos, org.disable_oauth_app_restrictions, org.disable_two_factor_requirement

org.block_user

Category: GitHub-org

Description

An organization owner blocked a user from accessing the organization's repositories.

Fields #

Name	Description
`action`	The audit-log action string (e.g. repo.create).
`actor`	Login of the user (or app) that performed the action.
`actor_id`	Numeric ID of the actor.
`user`	Login of the user the action targeted, when applicable.
`org`	Organization in which the action occurred.
`repo`	Repository the action targeted (owner/name), when applicable.
`business`	Enterprise account, when the org belongs to one.
`@timestamp`	Time the event was recorded (epoch ms).
`created_at`	Time the action occurred (epoch ms).
`operation_type`	Operation class: create, modify, remove, access, transfer, authentication.

Detection Rules #

View all rules referencing this event →

Elastic #

GitHub User Blocked From Organization source low: A GitHub user was blocked from access to an organization.

Kusto #

GitHub - User was blocked source medium: Detect activities when a user was blocked on the repository. This query runs every day and its severity is Medium.

YARA-L #

GitHub User Blocked From Accessing Organization Repositories source: Detects when a user is blocked from accessing repositories within a GitHub organization.

org.create_actions_secret

Category: GitHub-org

Description

A GitHub Actions secret was created for an organization.

Fields #

Name	Description
`action`	The audit-log action string (e.g. repo.create).
`actor`	Login of the user (or app) that performed the action.
`actor_id`	Numeric ID of the actor.
`user`	Login of the user the action targeted, when applicable.
`org`	Organization in which the action occurred.
`repo`	Repository the action targeted (owner/name), when applicable.
`business`	Enterprise account, when the org belongs to one.
`@timestamp`	Time the event was recorded (epoch ms).
`created_at`	Time the action occurred (epoch ms).
`operation_type`	Operation class: create, modify, remove, access, transfer, authentication.

Detection Rules #

View all rules referencing this event →

Sigma #

Github New Secret Created source low: Detects when a user creates action secret for the organization, environment, codespaces or repository.

org.disable_oauth_app_restrictions

Category: GitHub-org

Description

Third-party application access restrictions for an organization were disabled.

Fields #

Name	Description
`action`	The audit-log action string (e.g. repo.create).
`actor`	Login of the user (or app) that performed the action.
`actor_id`	Numeric ID of the actor.
`user`	Login of the user the action targeted, when applicable.
`org`	Organization in which the action occurred.
`repo`	Repository the action targeted (owner/name), when applicable.
`business`	Enterprise account, when the org belongs to one.
`@timestamp`	Time the event was recorded (epoch ms).
`created_at`	Time the action occurred (epoch ms).
`operation_type`	Operation class: create, modify, remove, access, transfer, authentication.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`action`	eq	`org.disable_two_factor_requirement`	1 rule	sigma, splunk

Detection Rules #

View all rules referencing this event →

Sigma #

Github High Risk Configuration Disabled source high: Detects when a user disables a critical security feature for an organization.↳ also matches org.advanced_security_disabled_for_new_repos, org.advanced_security_disabled_on_all_repos, org.advanced_security_policy_selected_member_disabled, org.disable_two_factor_requirement

YARA-L #

GitHub OAuth Application Access Restrictions Disabled source: Detects when third-party application access restrictions are disabled for a GitHub organization.

org.disable_two_factor_requirement

Category: GitHub-org

Description

A two-factor authentication requirement was disabled for the organization.

Fields #

Name	Description
`action`	The audit-log action string (e.g. repo.create).
`actor`	Login of the user (or app) that performed the action.
`actor_id`	Numeric ID of the actor.
`user`	Login of the user the action targeted, when applicable.
`org`	Organization in which the action occurred.
`repo`	Repository the action targeted (owner/name), when applicable.
`business`	Enterprise account, when the org belongs to one.
`@timestamp`	Time the event was recorded (epoch ms).
`created_at`	Time the action occurred (epoch ms).
`operation_type`	Operation class: create, modify, remove, access, transfer, authentication.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`Action`	eq	`org.disable_two_factor_requirement`	2 rules	kusto

Detection Rules #

View all rules referencing this event →

Sigma #

Github High Risk Configuration Disabled source high: Detects when a user disables a critical security feature for an organization.↳ also matches org.advanced_security_disabled_for_new_repos, org.advanced_security_disabled_on_all_repos, org.advanced_security_policy_selected_member_disabled, org.disable_oauth_app_restrictions

Kusto #

GitHub Two Factor Auth Disable source medium: Two-factor authentication is a process where a user is prompted during the sign-in process for an additional form of identification, such as to enter a code on their cellphone or to provide a fingerprint scan. Two factor authentication reduces the risk of account takeover. Attacker will want to disable such security tools in order to go undetected.
NRT GitHub Two Factor Auth Disable source medium: Two-factor authentication is a process where a user is prompted during the sign-in process for an additional form of identification, such as to enter a code on their cellphone or to provide a fingerprint scan. Two factor authentication reduces the risk of account takeover. Attacker will want to disable such security tools in order to go undetected.

YARA-L #

GitHub Two-Factor Authentication Requirement Disabled source: Detects when two-factor authentication requirements are disabled for a GitHub enterprise or organization.

org.invite_member

Category: GitHub-org

Description

A new user was invited to join an organization.

Fields #

Name	Description
`action`	The audit-log action string (e.g. repo.create).
`actor`	Login of the user (or app) that performed the action.
`actor_id`	Numeric ID of the actor.
`user`	Login of the user the action targeted, when applicable.
`org`	Organization in which the action occurred.
`repo`	Repository the action targeted (owner/name), when applicable.
`business`	Enterprise account, when the org belongs to one.
`@timestamp`	Time the event was recorded (epoch ms).
`created_at`	Time the action occurred (epoch ms).
`operation_type`	Operation class: create, modify, remove, access, transfer, authentication.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`action`	eq	`org.add_member`	1 rule	panther, sigma

Detection Rules #

View all rules referencing this event →

Sigma #

New Github Organization Member Added source informational: Detects when a new member is added or invited to a github organization.↳ also matches org.add_member

Kusto #

GitHub - User was invited to the repository source medium: Detect activities when a user was invited to the repository. This query runs every day and its severity is Medium.

YARA-L #

GitHub Invitation Sent To Non Company Email Domain source: Detects when an invitation to join a GitHub enterprise or organization is sent to a non-company email address. This rule can be customized to alert you when a GitHub invitation is sent to an unexpected domain i.e. not one of your company's domains used for email.

org.register_self_hosted_runner

Category: GitHub-org

Description

A new self-hosted runner was registered.

Fields #

Name	Description
`action`	The audit-log action string (e.g. repo.create).
`actor`	Login of the user (or app) that performed the action.
`actor_id`	Numeric ID of the actor.
`user`	Login of the user the action targeted, when applicable.
`org`	Organization in which the action occurred.
`repo`	Repository the action targeted (owner/name), when applicable.
`business`	Enterprise account, when the org belongs to one.
`@timestamp`	Time the event was recorded (epoch ms).
`created_at`	Time the action occurred (epoch ms).
`operation_type`	Operation class: create, modify, remove, access, transfer, authentication.

Detection Rules #

View all rules referencing this event →

Elastic #

New GitHub Self Hosted Action Runner source medium: This rule detects the creation of a self-hosted Github runner from a first time seen user.name in the last 5 days. Adversaries may abuse self-hosted runners to execute workflow jobs on customer infrastructure.

org.remove_member

Category: GitHub-org

Description

A member was removed from an organization, either manually or due to a two-factor authentication requirement.

Fields #

Name	Description
`action`	The audit-log action string (e.g. repo.create).
`actor`	Login of the user (or app) that performed the action.
`actor_id`	Numeric ID of the actor.
`user`	Login of the user the action targeted, when applicable.
`org`	Organization in which the action occurred.
`repo`	Repository the action targeted (owner/name), when applicable.
`business`	Enterprise account, when the org belongs to one.
`@timestamp`	Time the event was recorded (epoch ms).
`created_at`	Time the action occurred (epoch ms).
`operation_type`	Operation class: create, modify, remove, access, transfer, authentication.

Detection Rules #

View all rules referencing this event →

Elastic #

Member Removed From GitHub Organization source low: A member was removed or their invitation to join was removed from a GitHub Organization.

org.remove_outside_collaborator

Category: GitHub-org

Description

An outside collaborator was removed from an organization, either manually or due to a two-factor authentication requirement.

Fields #

Name	Description
`action`	The audit-log action string (e.g. repo.create).
`actor`	Login of the user (or app) that performed the action.
`actor_id`	Numeric ID of the actor.
`user`	Login of the user the action targeted, when applicable.
`org`	Organization in which the action occurred.
`repo`	Repository the action targeted (owner/name), when applicable.
`business`	Enterprise account, when the org belongs to one.
`@timestamp`	Time the event was recorded (epoch ms).
`created_at`	Time the action occurred (epoch ms).
`operation_type`	Operation class: create, modify, remove, access, transfer, authentication.

Detection Rules #

View all rules referencing this event →

Sigma #

Github Outside Collaborator Detected source medium: Detects when an organization member or an outside collaborator is added to or removed from a project board or has their permission level changed or when an owner removes an outside collaborator from an organization or when two-factor authentication is required in an organization and an outside collaborator does not use 2FA or disables 2FA.

org.remove_self_hosted_runner

Category: GitHub-org

Description

A self-hosted runner was removed.

Fields #

Name	Description
`action`	The audit-log action string (e.g. repo.create).
`actor`	Login of the user (or app) that performed the action.
`actor_id`	Numeric ID of the actor.
`user`	Login of the user the action targeted, when applicable.
`org`	Organization in which the action occurred.
`repo`	Repository the action targeted (owner/name), when applicable.
`business`	Enterprise account, when the org belongs to one.
`@timestamp`	Time the event was recorded (epoch ms).
`created_at`	Time the action occurred (epoch ms).
`operation_type`	Operation class: create, modify, remove, access, transfer, authentication.

Detection Rules #

View all rules referencing this event →

Sigma #

Github Self Hosted Runner Changes Detected source low: A self-hosted runner is a system that you deploy and manage to execute jobs from GitHub Actions on GitHub.com. This rule detects changes to self-hosted runners configurations in the environment. The self-hosted runner configuration changes once detected, it should be validated from GitHub UI because the log entry may not provide full context.↳ also matches org.runner_group_created, org.runner_group_removed, org.runner_group_runner_removed, org.runner_group_runners_added, org.runner_group_runners_updated, org.runner_group_updated

org.runner_group_created

Category: GitHub-org

Description

A self-hosted runner group was created.

Fields #

Name	Description
`action`	The audit-log action string (e.g. repo.create).
`actor`	Login of the user (or app) that performed the action.
`actor_id`	Numeric ID of the actor.
`user`	Login of the user the action targeted, when applicable.
`org`	Organization in which the action occurred.
`repo`	Repository the action targeted (owner/name), when applicable.
`business`	Enterprise account, when the org belongs to one.
`@timestamp`	Time the event was recorded (epoch ms).
`created_at`	Time the action occurred (epoch ms).
`operation_type`	Operation class: create, modify, remove, access, transfer, authentication.

Detection Rules #

View all rules referencing this event →

Sigma #

Github Self Hosted Runner Changes Detected source low: A self-hosted runner is a system that you deploy and manage to execute jobs from GitHub Actions on GitHub.com. This rule detects changes to self-hosted runners configurations in the environment. The self-hosted runner configuration changes once detected, it should be validated from GitHub UI because the log entry may not provide full context.↳ also matches org.remove_self_hosted_runner, org.runner_group_removed, org.runner_group_runner_removed, org.runner_group_runners_added, org.runner_group_runners_updated, org.runner_group_updated

org.runner_group_removed

Category: GitHub-org

Description

A self-hosted runner group was removed.

Fields #

Name	Description
`action`	The audit-log action string (e.g. repo.create).
`actor`	Login of the user (or app) that performed the action.
`actor_id`	Numeric ID of the actor.
`user`	Login of the user the action targeted, when applicable.
`org`	Organization in which the action occurred.
`repo`	Repository the action targeted (owner/name), when applicable.
`business`	Enterprise account, when the org belongs to one.
`@timestamp`	Time the event was recorded (epoch ms).
`created_at`	Time the action occurred (epoch ms).
`operation_type`	Operation class: create, modify, remove, access, transfer, authentication.

Detection Rules #

View all rules referencing this event →

Sigma #

Github Self Hosted Runner Changes Detected source low: A self-hosted runner is a system that you deploy and manage to execute jobs from GitHub Actions on GitHub.com. This rule detects changes to self-hosted runners configurations in the environment. The self-hosted runner configuration changes once detected, it should be validated from GitHub UI because the log entry may not provide full context.↳ also matches org.remove_self_hosted_runner, org.runner_group_created, org.runner_group_runner_removed, org.runner_group_runners_added, org.runner_group_runners_updated, org.runner_group_updated

org.runner_group_runner_removed

Category: GitHub-org

Description

The REST API was used to remove a self-hosted runner from a group.

Fields #

Name	Description
`action`	The audit-log action string (e.g. repo.create).
`actor`	Login of the user (or app) that performed the action.
`actor_id`	Numeric ID of the actor.
`user`	Login of the user the action targeted, when applicable.
`org`	Organization in which the action occurred.
`repo`	Repository the action targeted (owner/name), when applicable.
`business`	Enterprise account, when the org belongs to one.
`@timestamp`	Time the event was recorded (epoch ms).
`created_at`	Time the action occurred (epoch ms).
`operation_type`	Operation class: create, modify, remove, access, transfer, authentication.

Detection Rules #

View all rules referencing this event →

Sigma #

Github Self Hosted Runner Changes Detected source low: A self-hosted runner is a system that you deploy and manage to execute jobs from GitHub Actions on GitHub.com. This rule detects changes to self-hosted runners configurations in the environment. The self-hosted runner configuration changes once detected, it should be validated from GitHub UI because the log entry may not provide full context.↳ also matches org.remove_self_hosted_runner, org.runner_group_created, org.runner_group_removed, org.runner_group_runners_added, org.runner_group_runners_updated, org.runner_group_updated

org.runner_group_runners_added

Category: GitHub-org

Description

A self-hosted runner was added to a group.

Fields #

Name	Description
`action`	The audit-log action string (e.g. repo.create).
`actor`	Login of the user (or app) that performed the action.
`actor_id`	Numeric ID of the actor.
`user`	Login of the user the action targeted, when applicable.
`org`	Organization in which the action occurred.
`repo`	Repository the action targeted (owner/name), when applicable.
`business`	Enterprise account, when the org belongs to one.
`@timestamp`	Time the event was recorded (epoch ms).
`created_at`	Time the action occurred (epoch ms).
`operation_type`	Operation class: create, modify, remove, access, transfer, authentication.

Detection Rules #

View all rules referencing this event →

Sigma #

Github Self Hosted Runner Changes Detected source low: A self-hosted runner is a system that you deploy and manage to execute jobs from GitHub Actions on GitHub.com. This rule detects changes to self-hosted runners configurations in the environment. The self-hosted runner configuration changes once detected, it should be validated from GitHub UI because the log entry may not provide full context.↳ also matches org.remove_self_hosted_runner, org.runner_group_created, org.runner_group_removed, org.runner_group_runner_removed, org.runner_group_runners_updated, org.runner_group_updated

org.runner_group_runners_updated

Category: GitHub-org

Description

A runner group's list of members was updated.

Fields #

Name	Description
`action`	The audit-log action string (e.g. repo.create).
`actor`	Login of the user (or app) that performed the action.
`actor_id`	Numeric ID of the actor.
`user`	Login of the user the action targeted, when applicable.
`org`	Organization in which the action occurred.
`repo`	Repository the action targeted (owner/name), when applicable.
`business`	Enterprise account, when the org belongs to one.
`@timestamp`	Time the event was recorded (epoch ms).
`created_at`	Time the action occurred (epoch ms).
`operation_type`	Operation class: create, modify, remove, access, transfer, authentication.

Detection Rules #

View all rules referencing this event →

Sigma #

Github Self Hosted Runner Changes Detected source low: A self-hosted runner is a system that you deploy and manage to execute jobs from GitHub Actions on GitHub.com. This rule detects changes to self-hosted runners configurations in the environment. The self-hosted runner configuration changes once detected, it should be validated from GitHub UI because the log entry may not provide full context.↳ also matches org.remove_self_hosted_runner, org.runner_group_created, org.runner_group_removed, org.runner_group_runner_removed, org.runner_group_runners_added, org.runner_group_updated

org.runner_group_updated

Category: GitHub-org

Description

The configuration of a self-hosted runner group was changed.

Fields #

Name	Description
`action`	The audit-log action string (e.g. repo.create).
`actor`	Login of the user (or app) that performed the action.
`actor_id`	Numeric ID of the actor.
`user`	Login of the user the action targeted, when applicable.
`org`	Organization in which the action occurred.
`repo`	Repository the action targeted (owner/name), when applicable.
`business`	Enterprise account, when the org belongs to one.
`@timestamp`	Time the event was recorded (epoch ms).
`created_at`	Time the action occurred (epoch ms).
`operation_type`	Operation class: create, modify, remove, access, transfer, authentication.

Detection Rules #

View all rules referencing this event →

Sigma #

Github Self Hosted Runner Changes Detected source low: A self-hosted runner is a system that you deploy and manage to execute jobs from GitHub Actions on GitHub.com. This rule detects changes to self-hosted runners configurations in the environment. The self-hosted runner configuration changes once detected, it should be validated from GitHub UI because the log entry may not provide full context.↳ also matches org.remove_self_hosted_runner, org.runner_group_created, org.runner_group_removed, org.runner_group_runner_removed, org.runner_group_runners_added, org.runner_group_runners_updated

org.secret_scanning_custom_pattern_push_protection_disabled

Category: GitHub-org

Description

Push protection for a custom pattern for secret scanning was disabled for an organization.

Fields #

Name	Description
`action`	The audit-log action string (e.g. repo.create).
`actor`	Login of the user (or app) that performed the action.
`actor_id`	Numeric ID of the actor.
`user`	Login of the user the action targeted, when applicable.
`org`	Organization in which the action occurred.
`repo`	Repository the action targeted (owner/name), when applicable.
`business`	Enterprise account, when the org belongs to one.
`@timestamp`	Time the event was recorded (epoch ms).
`created_at`	Time the action occurred (epoch ms).
`operation_type`	Operation class: create, modify, remove, access, transfer, authentication.

Detection Rules #

View all rules referencing this event →

Sigma #

Github Push Protection Disabled source high: Detects if the push protection feature is disabled for an organization, enterprise, repositories or custom pattern rules.↳ also matches org.secret_scanning_push_protection_disable, org.secret_scanning_push_protection_new_repos_disable

org.secret_scanning_push_protection_disable

Category: GitHub-org

Description

Push protection for secret scanning was disabled.

Fields #

Name	Description
`action`	The audit-log action string (e.g. repo.create).
`actor`	Login of the user (or app) that performed the action.
`actor_id`	Numeric ID of the actor.
`user`	Login of the user the action targeted, when applicable.
`org`	Organization in which the action occurred.
`repo`	Repository the action targeted (owner/name), when applicable.
`business`	Enterprise account, when the org belongs to one.
`@timestamp`	Time the event was recorded (epoch ms).
`created_at`	Time the action occurred (epoch ms).
`operation_type`	Operation class: create, modify, remove, access, transfer, authentication.

Detection Rules #

View all rules referencing this event →

Sigma #

Github Push Protection Disabled source high: Detects if the push protection feature is disabled for an organization, enterprise, repositories or custom pattern rules.↳ also matches org.secret_scanning_custom_pattern_push_protection_disabled, org.secret_scanning_push_protection_new_repos_disable

org.secret_scanning_push_protection_new_repos_disable

Category: GitHub-org

Description

Push protection for secret scanning was disabled for all new repositories in the organization.

Fields #

Name	Description
`action`	The audit-log action string (e.g. repo.create).
`actor`	Login of the user (or app) that performed the action.
`actor_id`	Numeric ID of the actor.
`user`	Login of the user the action targeted, when applicable.
`org`	Organization in which the action occurred.
`repo`	Repository the action targeted (owner/name), when applicable.
`business`	Enterprise account, when the org belongs to one.
`@timestamp`	Time the event was recorded (epoch ms).
`created_at`	Time the action occurred (epoch ms).
`operation_type`	Operation class: create, modify, remove, access, transfer, authentication.

Detection Rules #

View all rules referencing this event →

Sigma #

Github Push Protection Disabled source high: Detects if the push protection feature is disabled for an organization, enterprise, repositories or custom pattern rules.↳ also matches org.secret_scanning_custom_pattern_push_protection_disabled, org.secret_scanning_push_protection_disable

org.transfer

Category: GitHub-org

Description

An organization was transferred between enterprise accounts.

Fields #

Name	Description
`action`	The audit-log action string (e.g. repo.create).
`actor`	Login of the user (or app) that performed the action.
`actor_id`	Numeric ID of the actor.
`user`	Login of the user the action targeted, when applicable.
`org`	Organization in which the action occurred.
`repo`	Repository the action targeted (owner/name), when applicable.
`business`	Enterprise account, when the org belongs to one.
`@timestamp`	Time the event was recorded (epoch ms).
`created_at`	Time the action occurred (epoch ms).
`operation_type`	Operation class: create, modify, remove, access, transfer, authentication.

Detection Rules #

View all rules referencing this event →

Sigma #

Github Repository/Organization Transferred source medium: Detects when a repository or an organization is being transferred to another location.↳ also matches org.transfer_outgoing

org.transfer_outgoing

Category: GitHub-org

Description

An organization was transferred between enterprise accounts.

Fields #

Name	Description
`action`	The audit-log action string (e.g. repo.create).
`actor`	Login of the user (or app) that performed the action.
`actor_id`	Numeric ID of the actor.
`user`	Login of the user the action targeted, when applicable.
`org`	Organization in which the action occurred.
`repo`	Repository the action targeted (owner/name), when applicable.
`business`	Enterprise account, when the org belongs to one.
`@timestamp`	Time the event was recorded (epoch ms).
`created_at`	Time the action occurred (epoch ms).
`operation_type`	Operation class: create, modify, remove, access, transfer, authentication.

Detection Rules #

View all rules referencing this event →

Sigma #

Github Repository/Organization Transferred source medium: Detects when a repository or an organization is being transferred to another location.↳ also matches org.transfer

YARA-L #

GitHub Outgoing Organization Transfer Initiated source: Detects when a GitHub organization is transferred to another enterprise account. An adversary may attempt to transfer a GitHub organization to an enterprise account they control in order to steal data.

org.update_member

Category: GitHub-org

Description

A person's role was changed from owner to member or member to owner.

Fields #

Name	Description
`action`	The audit-log action string (e.g. repo.create).
`actor`	Login of the user (or app) that performed the action.
`actor_id`	Numeric ID of the actor.
`user`	Login of the user the action targeted, when applicable.
`org`	Organization in which the action occurred.
`repo`	Repository the action targeted (owner/name), when applicable.
`business`	Enterprise account, when the org belongs to one.
`@timestamp`	Time the event was recorded (epoch ms).
`created_at`	Time the action occurred (epoch ms).
`operation_type`	Operation class: create, modify, remove, access, transfer, authentication.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`github.permission`	eq	`admin`	1 rule	elastic

Detection Rules #

View all rules referencing this event →

Elastic #

GitHub Owner Role Granted To User source medium: This rule detects when a member is granted the organization owner role of a GitHub organization. This role provides admin level privileges. Any new owner role should be investigated to determine its validity. Unauthorized owner roles could indicate compromise within your organization and provide unlimited access to data and settings.

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)