Skip to content

Instantly share code, notes, and snippets.

@chtzvt

chtzvt/all_integrations.kql

Created November 14, 2023 22:40
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save chtzvt/cec8ceca1287d9f04572f68b648df422 to your computer and use it in GitHub Desktop.
Save chtzvt/cec8ceca1287d9f04572f68b648df422 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
all_integrations.kql
GitHubAuditLogPolling_CL
| where action_s =~ "integration_installation.repositories_added" or action_s =~ "integration_installation.create"
| extend appName = tostring(name_s)
| extend organization = tostring(org_s)
| project-reorder TimeGenerated, actor_s, org_s, organization
| extend date_time = unixtime_milliseconds_todatetime(_timestamp_d)
| project TimeGenerated = date_time, AccountCustomEntity = actor_s, organization = org_s, appName , action = action_s
Raw
non_permitted_integrations.kql
let allowed_apps = dynamic(["Dependabot", "Microsoft Security DevOps"]);
GitHubAuditLogPolling_CL
| where action_s =~ "integration_installation.repositories_added" or action_s =~ "integration_installation.create"
| extend appName = tostring(name_s)
| where appName !in (allowed_apps)
| extend organization = tostring(org_s)
| project-reorder TimeGenerated, actor_s, org_s, organization
| extend date_time = unixtime_milliseconds_todatetime(_timestamp_d)
| project TimeGenerated = date_time, AccountCustomEntity = actor_s, organization = org_s, appName , action = action_s
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment