Analytics Story: GitHub Malicious Activity

Date: 2025-01-14 ID: 9abdd884-909d-46a8-bf11-9fbcd076fac2 Author: Patrick Bareiss, Splunk Product: Splunk Enterprise Security

Description

Leverage searches that allow you to detect and investigate suspicious GitHub activities that might indicate malicious behavior, including pull requests from unknown users, disabled security workflows, and other potentially harmful repository modifications. These detections help identify attempts to compromise repositories through unauthorized code changes, bypassed security controls, and other suspicious actions that could lead to supply chain attacks or data breaches.

Why it matters

GitHub is a popular platform for developers to collaborate on code and manage projects. However, it can also be used by malicious actors to conduct various types of attacks, including supply chain attacks, data breaches, and other malicious activities.

Detections

Name ▲▼	Technique ▲▼	Type ▲▼
GitHub Enterprise Delete Branch Ruleset	Disable or Modify Tools, Supply Chain Compromise	Anomaly
GitHub Enterprise Disable 2FA Requirement	Disable or Modify Tools, Supply Chain Compromise	Anomaly
GitHub Enterprise Disable Audit Log Event Stream	Disable or Modify Cloud Logs, Supply Chain Compromise	Anomaly
GitHub Enterprise Disable Classic Branch Protection Rule	Disable or Modify Tools, Supply Chain Compromise	Anomaly
GitHub Enterprise Disable Dependabot	Disable or Modify Tools, Supply Chain Compromise	Anomaly
GitHub Enterprise Disable IP Allow List	Disable or Modify Tools, Supply Chain Compromise	Anomaly
GitHub Enterprise Modify Audit Log Event Stream	Disable or Modify Cloud Logs, Supply Chain Compromise	Anomaly
GitHub Enterprise Pause Audit Log Event Stream	Disable or Modify Cloud Logs, Supply Chain Compromise	Anomaly
GitHub Enterprise Register Self Hosted Runner	Disable or Modify Tools, Supply Chain Compromise	Anomaly
GitHub Enterprise Remove Organization	Data Destruction, Supply Chain Compromise	Anomaly
GitHub Enterprise Repository Archived	Data Destruction, Supply Chain Compromise	Anomaly
GitHub Enterprise Repository Deleted	Data Destruction, Supply Chain Compromise	Anomaly
GitHub Organizations Delete Branch Ruleset	Disable or Modify Tools, Supply Chain Compromise	Anomaly
GitHub Organizations Disable 2FA Requirement	Disable or Modify Tools, Supply Chain Compromise	Anomaly
GitHub Organizations Disable Classic Branch Protection Rule	Disable or Modify Tools, Supply Chain Compromise	Anomaly
GitHub Organizations Disable Dependabot	Disable or Modify Tools, Supply Chain Compromise	Anomaly
GitHub Organizations Repository Archived	Data Destruction, Supply Chain Compromise	Anomaly
GitHub Organizations Repository Deleted	Data Destruction, Supply Chain Compromise	Anomaly

Data Sources

Name ▲▼	Platform ▲▼	Sourcetype ▲▼	Source ▲▼
GitHub Enterprise Audit Logs	N/A	`httpevent`	`http:github`
GitHub Organizations Audit Logs	N/A	`github:cloud:audit`	`github`

References

https://www.googlecloudcommunity.com/gc/Community-Blog/Monitoring-for-Suspicious-GitHub-Activity-with-Google-Security/ba-p/763610

Source: GitHub | Version: 1