GitHub personal access token granted and used to clone large amount of repositories
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。
Goal
Detect when a GitHub personal access token is used to clone repositories.
Strategy
This rule monitors GitHub audit logs for when a personal access token is used to clone a repository. If a user clones five repositories, a medium severity alert is generated. If the a user clones ten or more repositories, a high severity alert is generated.
Triage and response
- Determine if the multiple repository clones by
{{@github.actor}} are an expected action. - If the change was not authorized or was unexpected, begin your organization’s incident response process and investigate.
