Created
November 14, 2023 22:40
-
-
Save chtzvt/cec8ceca1287d9f04572f68b648df422 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| GitHubAuditLogPolling_CL | |
| | where action_s =~ "integration_installation.repositories_added" or action_s =~ "integration_installation.create" | |
| | extend appName = tostring(name_s) | |
| | extend organization = tostring(org_s) | |
| | project-reorder TimeGenerated, actor_s, org_s, organization | |
| | extend date_time = unixtime_milliseconds_todatetime(_timestamp_d) | |
| | project TimeGenerated = date_time, AccountCustomEntity = actor_s, organization = org_s, appName , action = action_s |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| let allowed_apps = dynamic(["Dependabot", "Microsoft Security DevOps"]); | |
| GitHubAuditLogPolling_CL | |
| | where action_s =~ "integration_installation.repositories_added" or action_s =~ "integration_installation.create" | |
| | extend appName = tostring(name_s) | |
| | where appName !in (allowed_apps) | |
| | extend organization = tostring(org_s) | |
| | project-reorder TimeGenerated, actor_s, org_s, organization | |
| | extend date_time = unixtime_milliseconds_todatetime(_timestamp_d) | |
| | project TimeGenerated = date_time, AccountCustomEntity = actor_s, organization = org_s, appName , action = action_s |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment