GitHub anomalous number of repositories cloned by user
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、
お気軽にご連絡ください。
Goal
Detect when a GitHub member has cloned an anomalous number of repositories.
Strategy
This rule monitors GitHub audit logs for when a GitHub member has cloned an anomalous number of repositories. An attacker with unauthorized access or insider threat may try to clone repositories to their system in an effort to collect data for exfiltration or gaining contextual awareness of the environment.
Note: During the onboarding of new staff it is likely that there will be a spike in cloning activity.
Triage and response
- Determine if the behavior is unusual for the user:
- Is the
@actor_location.country_code
or @http.useragent
different? - If IP addresses are available, is the
@network.client.ip
or @network.client.geoip.as.domain
different than usual?
- If the activity is suspicious: