Unusual Repo Access

Description

Identifies users who engaged in atypical patterns of behaviour within Github, including accessing 10 repos in 1 day (customizable check config).

Recommended Actions

Investigate the user's activity to determine what was accessed and if the user should be accessing these repos.

Default Settings

Period in Days When User Accessed Repos: 1

Unusual Number of Repos Accessed: 10

Github Actions Considered

The following Github actions are considered when reviewing the audit logs for access to a repo:

pull_request_review.submit
pull_request.create_review_request
pull_request.create
pull_request.merge
protected_branch.rejected_ref_update
protected_branch.policy_override
pull_request.close
pull_request_review.dismiss
pull_request.ready_for_review
pull_request.rebase
repo.update_actions_settings
issue_comment.update
repo.change_merge_setting
repository_vulnerability_alert.resolve
actions_cache.delete
hook.create
pull_request_review_comment.delete
pull_request.remove_review_request
repo.create
repo.download_zip
pull_request.converted_to_draft
repository_vulnerability_alert.create
hook.destroy
pull_request_review.delete
repo.destroy
hook.config_changed
team.add_repository
issue_comment.destroy
packages.package_version_published
workflows.approve_workflow_job
repository_dependency_graph.enable
repository_vulnerability_alerts.enable
required_status_check.create
repo.rename_branch
pull_request.reopen
team.update_repository_permission
repo.add_member
environment.create_actions_variable
protected_branch.create
artifact.destroy
repo.update_default_branch
environment.add_protection_rule
repo.update_actions_secret
merge_queue.pull_request_dequeued
required_status_check.destroy
repo.create_actions_secret
environment.update_protection_rule
protected_branch.dismissal_restricted_users_teams
environment.create_actions_secret
workflows.disable_workflow
environment.delete
protected_branch.update_name
pull_request.indirect_merge
repo.rename
environment.create
repository_secret_scanning_push_protection.disable
protected_branch.update_required_status_checks_enforcement_level
workflows.enable_workflow
repository_invitation.create
repo.transfer
protected_branch.update_pull_request_reviews_enforcement_level
protected_branch.update_admin_enforced
repo.transfer_outgoing
repo.remove_member
repository_invitation.accept
repository_secret_scanning.disable
repository_ruleset.update
repo.create_actions_variable
discussion_comment.update
protected_branch.update_require_code_owner_review
repo.archived
repo.remove_actions_secret
repo.access
environment.update_actions_variable
protected_branch.destroy
environment.update_actions_secret
environment.remove_protection_rule
protected_branch.authorized_users_teams
repository_projects_change.disable
team.remove_repository
environment.remove_actions_variable
repo.update_member
protected_branch.update_required_approving_review_count
protected_branch.update_lock_branch_enforcement_level
protected_branch.dismiss_stale_reviews
repository_vulnerability_alert.reintroduce
protected_branch.branch_allowances
repo.add_topic
repository_ruleset.create
org.add_outside_collaborator
packages.package_deleted
repository_vulnerability_alerts.disable
workflows.reject_workflow_job
repo.remove_actions_variable
repository_invitation.cancel
environment.remove_actions_secret
repo.pages_source
repository_vulnerability_alert.dismiss
org.codespaces_trusted_repo_access_granted
commit_comment.destroy
repo.unarchived
protected_branch.update_require_last_push_approval
repo.register_self_hosted_runner
commit_comment.update
repo.update_actions_variable
protected_branch.update_strict_required_status_checks_policy
repo.pages_private
repo.pages_create
packages.package_version_deleted
repo.update_actions_access_settings
hook.active_changed
repository_ruleset.destroy
repo.pages_https_redirect_enabled
repo.pages_cname
repo.remove_self_hosted_runner
merge_queue.update_settings
repo.create_integration_secret
merge_queue.queue_cleared
repo.pages_destroy
discussion_comment.destroy
repository_projects_change.enable
merge_queue.pull_request_queue_jump
repository_vulnerability_alerts.authorized_users_teams
public_key.create
hook.events_changed
public_key.verify
public_key.delete
repo.actions_enabled
project.close
public_key.update
repo.pages_https_redirect_disabled
repository_image.create
repo.remove_topic
protected_branch.update_allow_force_pushes_enforcement_level
repo.restore
repo.set_default_workflow_permissions
repo.set_fork_pr_workflows_policy
repo.set_workflow_permission_can_approve_pr
protected_branch.update_merge_queue_enforcement_level
repo.advanced_security_enabled
repository_image.destroy
repository_secret_scanning.enable
PreviousSuspicious Activity Reported by End UserNextUsers With Defined Email Forward Rules

Last updated