GitHub repository activity from suspicious IP

Goal

Detects GitHub repository activities performed from IP addresses flagged as suspicious or malicious by threat intelligence.

Strategy

This rule monitors GitHub audit logs for repository-related activities including repo.push, reference.update, branch.create, branch.delete, repo.create, repo.destroy, repo.rename, repo.transfer, and repo.edit actions. The detection correlates these activities with threat intelligence data where @threat_intel.results.intention is marked as suspicious or malicious.

Triage and response

  • Examine the specific repository actions performed by {{@github.actor}} to determine the scope and nature of the suspicious activity.
  • Review the geographic location and reputation of the source IP address to assess the legitimacy of the access.
  • Verify if the GitHub user account has legitimate business reasons to access repositories from the flagged IP address.
  • Check for any unauthorized code changes, new branches, or repository configuration modifications that could indicate malicious intent.
  • Determine if any sensitive data, credentials, or proprietary code may have been accessed or exfiltrated during the suspicious activity.