--- title: GitHub anomalous bot git activity description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: Docs > Datadog Security > OOTB Rules > GitHub anomalous bot git activity --- # GitHub anomalous bot git activity Classification:attackTactic:[TA0009-collection](https://attack.mitre.org/tactics/TA0009)Technique:[T1213-data-from-information-repositories](https://attack.mitre.org/techniques/T1213) ## Goal{% #goal %} Detect when anomalous Git activity is occurring from a bot account inside the GitHub organization. ## Strategy{% #strategy %} This rule monitors GitHub audit logs for when a bot takes a Git-related action. ## Triage and response{% #triage-and-response %} 1. Assess the bot's behavior: - Review audit logs to determine if the bot's activity is out of character. - Check for anomalies in the bot's access patterns: - - Is the `@actor_location.country_code` unexpected or different from typical locations? - - Does the `@http.useragent` or `@network.client.ip` differ from usual activity? - - Verify whether the `@network.client.geoip.as.domain` or IP address aligns with known bot activity. - Contact the bot owner to confirm if the bot should be performing these actions, especially from the observed user agent or IP address. If suspicious activity is confirmed: - Immediately block the bot in GitHub to prevent further unauthorized actions. [Block the user in GitHub](https://docs.github.com/en/enterprise-cloud@latest/communities/maintaining-your-safety-on-github/blocking-a-user-from-your-organization#blocking-a-user-in-the-organization-settings) - Initiate your organization's incident response process to further investigate the scope of the compromise and assess potential damage. - Consider reviewing any additional logs or access tokens used by the bot to determine if further unauthorized actions have occurred. Follow-up actions: - Reset the bot's authentication credentials and ensure that no unauthorized tokens or credentials have been issued. - Notify relevant stakeholders, including security teams and the bot owner, to provide updates on the investigation.