GitHub user blocked from accessing organization repositories

github-telemetry

Classification:

attack

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Goal

Detect when a GitHub user has been blocked from accessing organization repositories.

Strategy

This rule monitors GitHub audit logs for when a GitHub user has been blocked from accessing organization repositories. Organization owners and moderators can block anyone who is not a member of the organization from collaborating on the organization’s repositories.

Triage and response

  1. Determine if the change taken by {{@github.actor}} is authorized.
  2. If the change was not authorized or was unexpected, begin your organization’s incident response process and investigate.