GitHub unknown user cloned private repository

This rule is part of a beta feature. To learn more, contact Support.
This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Goal

Detect when a unknown actor clones a Github repository.

Strategy

This rule monitors GitHub audit logs for when a repository clone occurs but the actor field is null.

Triage and response

  1. Determine if the clone action was taken by IP address associated with the activity is from a known corporate device.
  2. If the clone action cannot be attributed to an internal user, then begin your organization’s incident response process and investigate.