GitHub anomalous bot org activity
Goal
Detect when anomalous organizational activity is occurring from a bot account inside the GitHub organization.
Strategy
This rule monitors GitHub audit logs for when a bot takes an action outside of Git operations and pull requests.
Triage and response
- Assess the bot’s behavior:
Review audit logs to determine if the bot’s activity is out of character.
Check for anomalies in the bot’s access patterns:
- Is the
@actor_location.country_code
unexpected or different from typical locations?
- Does the
@http.useragent
or @network.client.ip
differ from usual activity?
- Verify whether the
@network.client.geoip.as.domain
or IP address aligns with known bot activity.
Contact the bot owner to confirm if the bot should be performing these actions, especially from the observed user agent or IP address.
- If suspicious activity is confirmed:
- Immediately block the bot in GitHub to prevent further unauthorized actions. Block the user in GitHub
- Initiate your organization’s incident response process to further investigate the scope of the compromise and assess potential damage.
- Consider reviewing any additional logs or access tokens used by the bot to determine if further unauthorized actions have occurred.
- Follow-up actions:
- Reset the bot’s authentication credentials and ensure that no unauthorized tokens or credentials have been issued.
- Notify relevant stakeholders, including security teams and the bot owner, to provide updates on the investigation.