Analytics Story: GitHub Malicious Activity

Description

Leverage searches that allow you to detect and investigate suspicious GitHub activities that might indicate malicious behavior, including pull requests from unknown users, disabled security workflows, and other potentially harmful repository modifications. These detections help identify attempts to compromise repositories through unauthorized code changes, bypassed security controls, and other suspicious actions that could lead to supply chain attacks or data breaches.

Why it matters

GitHub is a popular platform for developers to collaborate on code and manage projects. However, it can also be used by malicious actors to conduct various types of attacks, including supply chain attacks, data breaches, and other malicious activities.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
GitHub Enterprise Delete Branch Ruleset Disable or Modify Tools, Supply Chain Compromise Anomaly
GitHub Enterprise Disable 2FA Requirement Disable or Modify Tools, Supply Chain Compromise Anomaly
GitHub Enterprise Disable Audit Log Event Stream Disable or Modify Cloud Logs, Supply Chain Compromise Anomaly
GitHub Enterprise Disable Classic Branch Protection Rule Disable or Modify Tools, Supply Chain Compromise Anomaly
GitHub Enterprise Disable Dependabot Disable or Modify Tools, Supply Chain Compromise Anomaly
GitHub Enterprise Disable IP Allow List Disable or Modify Tools, Supply Chain Compromise Anomaly
GitHub Enterprise Modify Audit Log Event Stream Disable or Modify Cloud Logs, Supply Chain Compromise Anomaly
GitHub Enterprise Pause Audit Log Event Stream Disable or Modify Cloud Logs, Supply Chain Compromise Anomaly
GitHub Enterprise Register Self Hosted Runner Disable or Modify Tools, Supply Chain Compromise Anomaly
GitHub Enterprise Remove Organization Data Destruction, Supply Chain Compromise Anomaly
GitHub Enterprise Repository Archived Data Destruction, Supply Chain Compromise Anomaly
GitHub Enterprise Repository Deleted Data Destruction, Supply Chain Compromise Anomaly
GitHub Organizations Delete Branch Ruleset Disable or Modify Tools, Supply Chain Compromise Anomaly
GitHub Organizations Disable 2FA Requirement Disable or Modify Tools, Supply Chain Compromise Anomaly
GitHub Organizations Disable Classic Branch Protection Rule Disable or Modify Tools, Supply Chain Compromise Anomaly
GitHub Organizations Disable Dependabot Disable or Modify Tools, Supply Chain Compromise Anomaly
GitHub Organizations Repository Archived Data Destruction, Supply Chain Compromise Anomaly
GitHub Organizations Repository Deleted Data Destruction, Supply Chain Compromise Anomaly

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
GitHub Enterprise Audit Logs N/A httpevent http:github
GitHub Organizations Audit Logs N/A github:cloud:audit github

References


Source: GitHub | Version: 1