GitHub personal access token used by previously unseen user agent
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、
お気軽にご連絡ください。
Goal
Detects when a GitHub personal access token is used by a previously unseen user agent. Identifies potential unauthorized access or token compromise through anomalous client behavior.
Strategy
This rule monitors GitHub audit logs for personal access token usage with new user agents. It tracks @http.useragent values grouped by @hashed_token to establish baseline user agent patterns for each token over a 7-day learning period. The detection triggers when a personal access token (classic or fine-grained) is used with a user agent that hasn’t been observed before.
Triage & Response
- Examine the new user agent string for
{{@github.actor}} to determine if it represents legitimate automation or a suspicious client. - Verify if the token owner authorized the use of new tools or scripts that would generate different user agent strings.
- Review recent GitHub activity for the user to identify any suspicious repository access or data collection attempts.
