GitHub OAuth access token compromise
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。
Goal
Detect when an OAuth access token is used from multiple autonomous system numbers (ASNs) and multiple user agents.
Strategy
This rule monitors GitHub audit logs for anomalous activity related to usage of an OAuth access token. By looking at ASNs and user agents, it profiles the expected use of that OAuth token and alerts when the activity deviates from more than two ASNs or two user agents per user in the defined threshold.
Triage and response
- Determine if the behavior is unusual for the user:
- Is the
{{@network.client.geoip.as.name}}
different than expected? And the {{@user_agent}}
? - Speak with the user to verify if the OAuth access token behavior is expected.
- If the activity is suspicious: