GitHub SSH key added by suspicious IP
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、
お気軽にご連絡ください。
Goal
Detect when a SSH key has been added from a suspicious IP.
Strategy
This rule monitors GitHub audit logs for when a SSH key has been added from a suspicious IP. A phishing campaign reported by Github’s security team indicated that attackers may try to add a SSH key once they have gained unauthorized access to an account to maintain access. Using Datadog threat intelligence the signals raised will have originated from IP addresses deemed to be suspicious.
Note: By default GitHub does not display the source IP address for events in your organization’s audit log. See this post for further information.
Triage and response
- Determine if the behavior is unusual for the user:
- Is the
@actor_location.country_code
or @http.useragent
different? - If IP addresses are available, is the
@network.client.ip
or @network.client.geoip.as.domain
different than usual? - Speak with the user to verify if they added the SSH key.
- If the activity is suspicious: