GitHub repository activity from suspicious IP

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください

Goal

Detects GitHub repository activities performed from IP addresses flagged as suspicious or malicious by threat intelligence.

Strategy

This rule monitors GitHub audit logs for repository-related activities including repo.push, reference.update, branch.create, branch.delete, repo.create, repo.destroy, repo.rename, repo.transfer, and repo.edit actions. The detection correlates these activities with threat intelligence data where @threat_intel.results.intention is marked as suspicious or malicious.

Triage and response

  • Examine the specific repository actions performed by {{@github.actor}} to determine the scope and nature of the suspicious activity.
  • Review the geographic location and reputation of the source IP address to assess the legitimacy of the access.
  • Verify if the GitHub user account has legitimate business reasons to access repositories from the flagged IP address.
  • Check for any unauthorized code changes, new branches, or repository configuration modifications that could indicate malicious intent.
  • Determine if any sensitive data, credentials, or proprietary code may have been accessed or exfiltrated during the suspicious activity.