GitHub repository activity from suspicious IP

github-telemetry

Classification:

attack

Tactic:

TA0009-collection

Technique:

T1213-data-from-information-repositories

Goal

Detects GitHub repository activities performed from IP addresses flagged as suspicious or malicious by threat intelligence.

Strategy

This rule monitors GitHub audit logs for repository-related activities including repo.push, reference.update, branch.create, branch.delete, repo.create, repo.destroy, repo.rename, repo.transfer, and repo.edit actions. The detection correlates these activities with threat intelligence data where @threat_intel.results.intention is marked as suspicious or malicious.

Triage and response

  • Examine the specific repository actions performed by {{@github.actor}} to determine the scope and nature of the suspicious activity.
  • Review the geographic location and reputation of the source IP address to assess the legitimacy of the access.
  • Verify if the GitHub user account has legitimate business reasons to access repositories from the flagged IP address.
  • Check for any unauthorized code changes, new branches, or repository configuration modifications that could indicate malicious intent.
  • Determine if any sensitive data, credentials, or proprietary code may have been accessed or exfiltrated during the suspicious activity.