GitHub repository activity from suspicious IP
Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel,
n'hésitez pas à nous contacter.
Goal
Detects GitHub repository activities performed from IP addresses flagged as suspicious or malicious by threat intelligence.
Strategy
This rule monitors GitHub audit logs for repository-related activities including repo.push, reference.update, branch.create, branch.delete, repo.create, repo.destroy, repo.rename, repo.transfer, and repo.edit actions. The detection correlates these activities with threat intelligence data where @threat_intel.results.intention is marked as suspicious or malicious.
Triage and response
- Examine the specific repository actions performed by
{{@github.actor}} to determine the scope and nature of the suspicious activity. - Review the geographic location and reputation of the source IP address to assess the legitimacy of the access.
- Verify if the GitHub user account has legitimate business reasons to access repositories from the flagged IP address.
- Check for any unauthorized code changes, new branches, or repository configuration modifications that could indicate malicious intent.
- Determine if any sensitive data, credentials, or proprietary code may have been accessed or exfiltrated during the suspicious activity.
