Detects when a new GitHub App is installed.

Query

Extract GitHub App installation events from GitHub audit logs in real-time.

| search action == "integration_installation.create"
| rename actor_ip as src_ip, actor as user

Message

• GitHub App installed: admin $user, app $integration

Field Order

• _log_time, src_ip, user, action, repo, integration, name, repository_selection, permissions, user_agent

Threat Analysis

• GitHub Apps can be granted broad access to repositories, workflows, issues, permissions management, and other key functions. If an attacker compromises a GitHub administrator account, they may install a malicious GitHub App to gain persistent access, tamper with source code, or hijack workflows.
• Because GitHub Apps can perform automated actions via APIs, they can be abused to collect repository data or exfiltrate information externally, making them a significant vector for supply chain attacks.
• GitHub App installation requires administrative privileges, and once installed, the app may operate across the entire organization depending on its permissions, significantly increasing the potential blast radius of an incident.
• The action may appear legitimate, making early detection difficult. If the app has access to multiple repositories, incident response becomes more complex due to the large scope of potential impact.

False Positive

• Administrators may legitimately install new GitHub Apps when adopting CI/CD tools, code-scanning products, automation systems, or integrations with external services.
• External partners or service providers may install apps as part of authorized collaboration workflows.
• Reinstallation of an existing app or permission updates may generate installation logs even when fully legitimate.
• In organizations where new developer tools and integrations are frequently deployed, normal IT or DevOps operations may trigger this detection.

Response Actions

• Verify the Installer

  • Confirm that the account ($user) that installed the app is a legitimate administrator and verify whether the installation was intentional.

• Review App Permissions

  • Check the app’s permissions and repository_selection fields to ensure it is not requesting excessive or organization-wide access.
  • Apps requesting broader-than-necessary privileges should be immediately reviewed.

• Remove Suspicious Apps

  • If the installation is deemed unauthorized or suspicious, remove the app immediately and review its activity across repositories.

• Examine Account Activity

  • Analyze login history, IP addresses, and User-Agent patterns of the installing account to identify signs of account compromise.

• Investigate Related Abnormal Activity

  • Look for unusual PR creation, permission modifications, workflow executions, or other suspicious actions before and after the installation event.

• Strengthen Security Controls

  • Restrict GitHub App installation rights to a minimal set of administrators and implement an approval process for new app installations.
  • Enforce pre-deployment permission reviews, conduct periodic audits of installed apps, and remove unused or unnecessary apps.

MITRE ATT&CK

• Tactics

  • Execution, Lateral Movement

• Technique

  • Name: Software Deployment Tools
  • ID: T1072
  • URL: https://attack.mitre.org/techniques/T1072/