Rules detecting the same action
Other rules on this platform that filter on the same API call or operation.
- GitHub - Repository was created (Kusto)
- Github Public Repository Created (Panther)
- GitHub Repo Created (Elastic)
- NX Supply Chain - S1ngularity Repository Detection (Panther)
Rule body yaml
AnalysisType: rule
Filename: github_repo_created.py
RuleID: "Github.Repo.Created"
DisplayName: "GitHub Repository Created"
Enabled: true
LogTypes:
- GitHub.Audit
Tags:
- GitHub
Reference: https://docs.github.com/en/get-started/quickstart/create-a-repo
Severity: Info
Description: Detects when a repository is created.
Tests:
- Name: GitHub - Repo Created
ExpectedResult: true
Log:
{
"actor": "cat",
"action": "repo.create",
"created_at": 1621305118553,
"org": "my-org",
"p_log_type": "GitHub.Audit",
"repo": "my-org/my-repo",
}
- Name: GitHub - Repo Archived
ExpectedResult: false
Log:
{
"actor": "cat",
"action": "repo.archived",
"created_at": 1621305118553,
"org": "my-org",
"p_log_type": "GitHub.Audit",
"repo": "my-org/my-repo",
}
Detection logic
Condition
action eq "repo.create"
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
action | eq |
|
Output fields
Fields the rule emits when it matches. Chronicle authors list these in the outcome block; they appear on the detection and $risk_score drives alerting. Sentinel / Defender XDR rules build them up through project / summarize / extend stages. Sentinel maps these into alert fields via entityMappings and customDetails; Defender XDR custom detections surface them as alert fields directly.
| Field |
|---|
repo |