Classification:

attack

Tactic:

TA0007-discovery

Technique:

T1526-cloud-service-discovery

VIEW RULE IN DATADOG VIEW SIGNALS

Goal

Detects mass access to secrets or workflow paths using an API request, which may represent critical data access.

Strategy

This rule monitors GitHub audit logs for api.request events performed to URL paths for secrets or worfklow access.

The strategy involves tracking the token used by the actor’s session to identify suspicious mass access patterns. This rule does not alert on GitHub labeled bot accounts.

Triage & Response

• Verify the identity of the actor ({{@github.actor}}) and determine if they have legitimate business reasons to access critical paths.
• Examine the specific access token used, including its creation date, permissions, and expiration.
• Review which secrets or worfklows were accessed and determine their sensitivity level.
• Analyze the actor’s normal access patterns to identify deviations from typical behavior.
• Evaluate if the access occurred from unusual geographic locations or IP addresses.
• Revoke the access token immediately if activity is confirmed malicious.
• Rotate any secrets that might have been exposed in the viewed repositories.