Github Activity on a Private Repository from an Unusual IP

calendar Apr 10, 2026 · Domain: Cloud Use Case: Threat Detection Tactic: Impact Tactic: Initial Access Tactic: Persistence Data Source: Github Resources: Investigation Guide  ·
Share on: linkedin copy

Detects when there is activity on a private GitHub repository from an unusual IP address. Adversaries may access private repositories from unfamiliar IPs to exfiltrate sensitive code or data, potentially indicating a compromise or unauthorized access.

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2025/12/16"
  3integration = ["github"]
  4maturity = "production"
  5updated_date = "2026/04/10"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Detects when there is activity on a private GitHub repository from an unusual IP address. Adversaries may
 11access private repositories from unfamiliar IPs to exfiltrate sensitive code or data, potentially indicating
 12a compromise or unauthorized access.
 13"""
 14from = "now-9m"
 15index = ["logs-github.audit-*"]
 16language = "kuery"
 17license = "Elastic License v2"
 18name = "Github Activity on a Private Repository from an Unusual IP"
 19references = [
 20    "https://www.wiz.io/blog/shai-hulud-2-0-ongoing-supply-chain-attack",
 21    "https://trigger.dev/blog/shai-hulud-postmortem",
 22    "https://posthog.com/blog/nov-24-shai-hulud-attack-post-mortem",
 23]
 24risk_score = 21
 25rule_id = "daf2e0e0-0bab-4672-bfa1-62db0ee5ec22"
 26severity = "low"
 27tags = [
 28    "Domain: Cloud",
 29    "Use Case: Threat Detection",
 30    "Tactic: Impact",
 31    "Tactic: Initial Access",
 32    "Tactic: Persistence",
 33    "Data Source: Github",
 34    "Resources: Investigation Guide",
 35]
 36timestamp_override = "event.ingested"
 37type = "new_terms"
 38query = '''
 39data_stream.dataset:"github.audit" and event.action:("git.push" or "git.clone") and github.repository_public:false
 40'''
 41
 42[[rule.threat]]
 43framework = "MITRE ATT&CK"
 44
 45[rule.threat.tactic]
 46id = "TA0040"
 47name = "Impact"
 48reference = "https://attack.mitre.org/tactics/TA0040/"
 49
 50[[rule.threat]]
 51framework = "MITRE ATT&CK"
 52
 53[[rule.threat.technique]]
 54id = "T1078"
 55name = "Valid Accounts"
 56reference = "https://attack.mitre.org/techniques/T1078/"
 57
 58[[rule.threat.technique.subtechnique]]
 59id = "T1078.004"
 60name = "Cloud Accounts"
 61reference = "https://attack.mitre.org/techniques/T1078/004/"
 62
 63[[rule.threat.technique]]
 64id = "T1195"
 65name = "Supply Chain Compromise"
 66reference = "https://attack.mitre.org/techniques/T1195/"
 67
 68[[rule.threat.technique.subtechnique]]
 69id = "T1195.002"
 70name = "Compromise Software Supply Chain"
 71reference = "https://attack.mitre.org/techniques/T1195/002/"
 72
 73[rule.threat.tactic]
 74id = "TA0001"
 75name = "Initial Access"
 76reference = "https://attack.mitre.org/tactics/TA0001/"
 77
 78[[rule.threat]]
 79framework = "MITRE ATT&CK"
 80
 81[[rule.threat.technique]]
 82id = "T1059"
 83name = "Command and Scripting Interpreter"
 84reference = "https://attack.mitre.org/techniques/T1059/"
 85
 86[rule.threat.tactic]
 87id = "TA0002"
 88name = "Execution"
 89reference = "https://attack.mitre.org/tactics/TA0002/"
 90
 91[[rule.threat]]
 92framework = "MITRE ATT&CK"
 93
 94[[rule.threat.technique]]
 95id = "T1213"
 96name = "Data from Information Repositories"
 97reference = "https://attack.mitre.org/techniques/T1213/"
 98
 99[[rule.threat.technique.subtechnique]]
100id = "T1213.003"
101name = "Code Repositories"
102reference = "https://attack.mitre.org/techniques/T1213/003/"
103
104[rule.threat.tactic]
105id = "TA0009"
106name = "Collection"
107reference = "https://attack.mitre.org/tactics/TA0009/"
108[rule.new_terms]
109field = "new_terms_fields"
110value = ["source.ip", "github.repo"]
111
112[[rule.new_terms.history_window_start]]
113field = "history_window_start"
114value = "now-7d"

References

Related rules

to-top