GitHub OAuth access token compromise

This rule is part of a beta feature. To learn more, contact Support.
github-telemetry

Classification:

attack

Tactic:

TA0006-credential-access

Technique:

T1528-steal-application-access-token

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Goal

Detect when an OAuth access token is used from multiple autonomous system numbers (ASNs) and multiple user agents.

Strategy

This rule monitors GitHub audit logs for anomalous activity related to usage of an OAuth access token. By looking at ASNs and user agents, it profiles the expected use of that OAuth token and alerts when the activity deviates from more than two ASNs or two user agents per user in the defined threshold.

Triage and response

  1. Determine if the behavior is unusual for the user:
    • Is the {{@network.client.geoip.as.name}} different than expected? And the {{@user_agent}}?
    • Speak with the user to verify if the OAuth access token behavior is expected.
  2. If the activity is suspicious:
    • Block the user in GitHub to prevent further access.
    • Begin your organization’s incident response process and investigate.

Changelog

  • 25 November 2024 - Updated to exclude common public cloud providers.
PREVIEWING: brett.blue/embedded-collector-release