GitHub anomalous bot org activity

This rule is part of a beta feature. To learn more, contact Support.
This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Goal

Detect when anomalous organizational activity is occurring from a bot account inside the GitHub organization.

Strategy

This rule monitors GitHub audit logs for when a bot takes an action outside of Git operations and pull requests.

Triage and response

  1. Assess the bot’s behavior:
  • Review audit logs to determine if the bot’s activity is out of character.

  • Check for anomalies in the bot’s access patterns:

    • Is the @actor_location.country_code unexpected or different from typical locations?
    • Does the @http.useragent or @network.client.ip differ from usual activity?
    • Verify whether the @network.client.geoip.as.domain or IP address aligns with known bot activity.
  • Contact the bot owner to confirm if the bot should be performing these actions, especially from the observed user agent or IP address.

  1. If suspicious activity is confirmed:
  • Immediately block the bot in GitHub to prevent further unauthorized actions. Block the user in GitHub
  • Initiate your organization’s incident response process to further investigate the scope of the compromise and assess potential damage.
  • Consider reviewing any additional logs or access tokens used by the bot to determine if further unauthorized actions have occurred.
  1. Follow-up actions:
  • Reset the bot’s authentication credentials and ensure that no unauthorized tokens or credentials have been issued.
  • Notify relevant stakeholders, including security teams and the bot owner, to provide updates on the investigation.
PREVIEWING: rtrieu/product-analytics-ui-changes