GitHub repository activity from suspicious IP

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Goal

Detects GitHub repository activities performed from IP addresses flagged as suspicious or malicious by threat intelligence.

Strategy

This rule monitors GitHub audit logs for repository-related activities including repo.push, reference.update, branch.create, branch.delete, repo.create, repo.destroy, repo.rename, repo.transfer, and repo.edit actions. The detection correlates these activities with threat intelligence data where @threat_intel.results.intention is marked as suspicious or malicious.

Triage and response

  • Examine the specific repository actions performed by {{@github.actor}} to determine the scope and nature of the suspicious activity.
  • Review the geographic location and reputation of the source IP address to assess the legitimacy of the access.
  • Verify if the GitHub user account has legitimate business reasons to access repositories from the flagged IP address.
  • Check for any unauthorized code changes, new branches, or repository configuration modifications that could indicate malicious intent.
  • Determine if any sensitive data, credentials, or proprietary code may have been accessed or exfiltrated during the suspicious activity.