GitHub personal access token impossible travel detected from suspicious IP

Set up the github integration.

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Goal

Detects GitHub Personal Access Token (PAT) usage from suspicious IP addresses with impossible travel patterns. Identifies potential credential theft when PATs are used from geographically distant locations within an impossible timeframe.

Strategy

This rule monitors GitHub audit logs for personal access token usage from IP addresses flagged by threat intelligence as suspicious or malicious. The detection uses impossible travel analysis to identify when the same @hashed_token is used from locations that are geographically impossible to travel between within the observed timeframe.

Triage & Response

  • Examine the GitHub audit logs for {{@hashed_token}} to identify all recent authentication events and determine the geographic locations involved in the impossible travel pattern.
  • Review the threat intelligence context for the suspicious IP addresses to understand the nature of the threat and potential attack campaigns.
  • Identify the GitHub user account associated with the personal access token and verify if the token usage from distant locations was authorized.
  • Check for any repository access, code changes, or administrative actions performed using the compromised token during the suspicious activity timeframe.
  • If malicious behavior is identified, revoke the compromised personal access token immediately and generate a new token with minimal required permissions for the user.