GitHub unknown user cloned private repository

This rule is part of a beta feature. To learn more, contact Support.
Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Goal

Detect when a unknown actor clones a Github repository.

Strategy

This rule monitors GitHub audit logs for when a repository clone occurs but the actor field is null.

Triage and response

  1. Determine if the clone action was taken by IP address associated with the activity is from a known corporate device.
  2. If the clone action cannot be attributed to an internal user, then begin your organization’s incident response process and investigate.