Skip to content

Instantly share code, notes, and snippets.

@chtzvt
Created November 14, 2023 22:40
Show Gist options
  • Save chtzvt/cec8ceca1287d9f04572f68b648df422 to your computer and use it in GitHub Desktop.
Save chtzvt/cec8ceca1287d9f04572f68b648df422 to your computer and use it in GitHub Desktop.
GitHubAuditLogPolling_CL
| where action_s =~ "integration_installation.repositories_added" or action_s =~ "integration_installation.create"
| extend appName = tostring(name_s)
| extend organization = tostring(org_s)
| project-reorder TimeGenerated, actor_s, org_s, organization
| extend date_time = unixtime_milliseconds_todatetime(_timestamp_d)
| project TimeGenerated = date_time, AccountCustomEntity = actor_s, organization = org_s, appName , action = action_s
let allowed_apps = dynamic(["Dependabot", "Microsoft Security DevOps"]);
GitHubAuditLogPolling_CL
| where action_s =~ "integration_installation.repositories_added" or action_s =~ "integration_installation.create"
| extend appName = tostring(name_s)
| where appName !in (allowed_apps)
| extend organization = tostring(org_s)
| project-reorder TimeGenerated, actor_s, org_s, organization
| extend date_time = unixtime_milliseconds_todatetime(_timestamp_d)
| project TimeGenerated = date_time, AccountCustomEntity = actor_s, organization = org_s, appName , action = action_s
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment