From 26d815e6d0f696b1b7eda186ed9c79a1d0f37e50 Mon Sep 17 00:00:00 2001 From: misraved Date: Tue, 23 Sep 2025 12:51:47 +0530 Subject: [PATCH] Refactor access token sections in queries.md for consistency --- docs/tables/github_security_log/queries.md | 64 +++++++++++----------- 1 file changed, 33 insertions(+), 31 deletions(-) diff --git a/docs/tables/github_security_log/queries.md b/docs/tables/github_security_log/queries.md index 957a8ce..0b372d3 100644 --- a/docs/tables/github_security_log/queries.md +++ b/docs/tables/github_security_log/queries.md @@ -66,7 +66,7 @@ order by folder: Authentication ``` -## Access Token Examples +## Personal Access Token Examples ### Personal Access Token Creation @@ -88,7 +88,7 @@ order by ``` ```yaml -folder: Access Token +folder: Personal Access Token ``` ### Personal Access Token Usage @@ -111,72 +111,78 @@ order by ``` ```yaml -folder: Access Token +folder: Personal Access Token ``` -### OAuth Application Authorizations +### Repository-Specific Token Access -Monitor OAuth application authorization events. +Monitor personal access tokens granted access to specific repositories. ```sql select timestamp, action, actor, - oauth_application_name, - oauth_application_id + repositories, + permissions, + repository_selection from github_security_log where - action like 'oauth_authorization.%' + repositories is not null + and action in ('personal_access_token.access_granted', 'personal_access_token.request_created') order by timestamp desc; ``` ```yaml -folder: Access Token +folder: Personal Access Token ``` -### Token Regeneration Events +### Token Permission Changes -Track when authentication tokens were regenerated. +Track changes in token permissions using the old_value field. ```sql select timestamp, action, actor, - token_id, - tp_source_ip + permissions_added, + permissions_unchanged, + permissions_upgraded, + old_value, + new_value from github_security_log where - action like '%regenerate%' + action = 'personal_access_token.request_created' + and (permissions_added is not null or permissions_upgraded is not null) order by timestamp desc; ``` ```yaml -folder: Access Token +folder: Personal Access Token ``` -### Repository-Specific Token Access +## Access Token Examples -Monitor personal access tokens granted access to specific repositories. +### OAuth Application Authorizations + +Monitor OAuth application authorization events. ```sql select timestamp, action, actor, - repositories, - permissions, - repository_selection + oauth_application_name, + oauth_application_id from github_security_log where - repositories is not null - and action in ('personal_access_token.access_granted', 'personal_access_token.request_created') + action like 'oauth_authorization.%' order by timestamp desc; ``` @@ -185,25 +191,21 @@ order by folder: Access Token ``` -### Token Permission Changes +### Token Regeneration Events -Track changes in token permissions using the old_value field. +Track when authentication tokens were regenerated. ```sql select timestamp, action, actor, - permissions_added, - permissions_unchanged, - permissions_upgraded, - old_value, - new_value + token_id, + tp_source_ip from github_security_log where - action = 'personal_access_token.request_created' - and (permissions_added is not null or permissions_upgraded is not null) + action like '%regenerate%' order by timestamp desc; ```