detection.wiki

Detection rules › Kusto

GitHub - User visibility Was changed

Status
available
Severity
medium
Time window
7d
Source
github.com/Azure/Azure-Sentinel

'Detect activities when a user visibility Was changed. This query runs every day and its severity is Medium.'

MITRE ATT&CK coverage

TacticTechniques
Initial AccessT1078 Valid Accounts

Rule body kusto

id: 0b85a077-8ba5-4cb5-90f7-1e882afe20c9
name: GitHub - User visibility Was changed
description: |
  'Detect activities when a user visibility Was changed. This query runs every day and its severity is Medium.'
severity: Medium
status: Available
requiredDataConnectors: []
queryFrequency: 1d
queryPeriod: 7d
triggerOperator: gt
triggerThreshold: 0
tactics:
  - InitialAccess
relevantTechniques:
  - T1078
query: |
    GitHubAuditData
    | where Visibility != PreviousVisibility
    | project Actor, PreviousVisibility, Visibility
    | extend Name = iif(Actor contains "@", split(Actor, "@")[0], Actor)
    | extend UPNSuffix = iif(Actor contains "@", split(Actor, "@")[1], "")
entityMappings:
  - entityType: Account
    fieldMappings:
      - identifier: FullName
        columnName: Actor
      - identifier: Name
        columnName: Name
      - identifier: UPNSuffix
        columnName: UPNSuffix
version: 1.0.1
kind: Scheduled

Stages and Predicates

Stage 1: source

GitHubAuditData

Stage 2: where

| where Visibility != PreviousVisibility

Stage 3: project

| project Actor, PreviousVisibility, Visibility

Stage 4: extend

| extend Name = iif(Actor contains "@", split(Actor, "@")[0], Actor)

Stage 5: extend

| extend UPNSuffix = iif(Actor contains "@", split(Actor, "@")[1], "")

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
Visibilityne
  • PreviousVisibility transforms: cased

Output fields

Fields the rule emits when it matches. Chronicle authors list these in the outcome block; they appear on the detection and $risk_score drives alerting. Sentinel / Defender XDR rules build them up through project / summarize / extend stages. Sentinel maps these into alert fields via entityMappings and customDetails; Defender XDR custom detections surface them as alert fields directly.

FieldSource
Actorproject
PreviousVisibilityproject
Visibilityproject
Nameextend
UPNSuffixextend