GitHub personal access token used to add collaborator

Classification:

attack

Tactic:

Technique:

Set up the github integration.

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Goal

Detects when GitHub personal access tokens are used to add collaborators to repositories or organizations.

This rule monitors GitHub audit logs for adding collaborators executed through personal access tokens. It tracks two distinct scenarios:

Repository collaborator additions via API calls to /repositories/:repository_id/collaborators/:username with PUT method.
External collaborator additions to organizations through org.add_outside_collaborator actions.

Examine the {{@hashed_token}} to identify the personal access token responsible for the collaborator addition and trace its usage patterns.
Verify if the token owner has legitimate authorization to add collaborators to the affected repository or organization.
Review the added collaborator’s identity and determine if they are an expected team member or external party with business justification.
Check the repository or organization’s access policies to confirm the collaborator addition aligns with established security controls.
Analyze the timing and frequency of collaborator additions to identify potential bulk operations or suspicious automation patterns.