Analytics Story: GitHub Malicious Activity

Updated Date: 2026-05-13 ID: 9abdd884-909d-46a8-bf11-9fbcd076fac2 Author: Patrick Bareiss, Splunk Product: Splunk Enterprise Security

Description

Leverage searches that allow you to detect and investigate suspicious GitHub activities that might indicate malicious behavior, including pull requests from unknown users, disabled security workflows, and other potentially harmful repository modifications. These detections help identify attempts to compromise repositories through unauthorized code changes, bypassed security controls, and other suspicious actions that could lead to supply chain attacks or data breaches.

Why it matters

GitHub is a popular platform for developers to collaborate on code and manage projects. However, it can also be used by malicious actors to conduct various types of attacks, including supply chain attacks, data breaches, and other malicious activities.

Detections

Name ▲▼	Technique ▲▼	Type ▲▼
GitHub Enterprise Repository Deleted	Supply Chain Compromise, Data Destruction	Anomaly
GitHub Organizations Disable 2FA Requirement	Supply Chain Compromise, Disable or Modify Tools	Anomaly
GitHub Enterprise Disable Dependabot	Supply Chain Compromise, Disable or Modify Tools	Anomaly
GitHub Organizations Disable Dependabot	Supply Chain Compromise, Disable or Modify Tools	Anomaly
GitHub Organizations Repository Archived	Supply Chain Compromise, Data Destruction	Anomaly
GitHub Enterprise Delete Branch Ruleset	Supply Chain Compromise, Disable or Modify Tools	Anomaly
GitHub Enterprise Disable Classic Branch Protection Rule	Supply Chain Compromise, Disable or Modify Tools	Anomaly
GitHub Enterprise Remove Organization	Supply Chain Compromise, Data Destruction	Anomaly
GitHub Enterprise Pause Audit Log Event Stream	Supply Chain Compromise, Disable or Modify Cloud Log	Anomaly
GitHub Enterprise Disable IP Allow List	Supply Chain Compromise, Disable or Modify Tools	Anomaly
GitHub Enterprise Repository Archived	Supply Chain Compromise, Data Destruction	Anomaly
GitHub Organizations Delete Branch Ruleset	Supply Chain Compromise, Disable or Modify Tools	Anomaly
GitHub Enterprise Modify Audit Log Event Stream	Supply Chain Compromise, Disable or Modify Cloud Log	Anomaly
GitHub Enterprise Register Self Hosted Runner	Supply Chain Compromise, Disable or Modify Tools	Anomaly
GitHub Enterprise Disable Audit Log Event Stream	Supply Chain Compromise, Disable or Modify Cloud Log	Anomaly
GitHub Enterprise Disable 2FA Requirement	Supply Chain Compromise, Disable or Modify Tools	Anomaly
GitHub Organizations Disable Classic Branch Protection Rule	Supply Chain Compromise, Disable or Modify Tools	Anomaly
GitHub Organizations Repository Deleted	Supply Chain Compromise, Data Destruction	Anomaly

Data Sources

Name ▲▼	Platform ▲▼	Sourcetype ▲▼	Source ▲▼
GitHub Enterprise Audit Logs	Other	`httpevent`	`http:github`
GitHub Organizations Audit Logs	Other	`github:cloud:audit`	`github`

References

https://www.googlecloudcommunity.com/gc/Community-Blog/Monitoring-for-Suspicious-GitHub-Activity-with-Google-Security/ba-p/763610

Source: GitHub | Version: 2