Unusual Repo Access

Description

Identifies users who engaged in atypical patterns of behaviour within Github, including accessing 10 repos in 1 day (customizable check config).

Recommended Actions

Investigate the user's activity to determine what was accessed and if the user should be accessing these repos.

Default Settings

Period in Days When User Accessed Repos: 1

Unusual Number of Repos Accessed: 10

Github Actions Considered

The following Github actions are considered when reviewing the audit logs for access to a repo:

pull_request_review.submit
pull_request.create_review_request
pull_request.create
pull_request.merge
protected_branch.rejected_ref_update
protected_branch.policy_override
pull_request.close
pull_request_review.dismiss
pull_request.ready_for_review
pull_request.rebase
repo.update_actions_settings
issue_comment.update
repo.change_merge_setting
repository_vulnerability_alert.resolve
actions_cache.delete
hook.create
pull_request_review_comment.delete
pull_request.remove_review_request
repo.create
repo.download_zip
pull_request.converted_to_draft
repository_vulnerability_alert.create
hook.destroy
pull_request_review.delete
repo.destroy
hook.config_changed
team.add_repository
issue_comment.destroy
packages.package_version_published
workflows.approve_workflow_job
repository_dependency_graph.enable
repository_vulnerability_alerts.enable
required_status_check.create
repo.rename_branch
pull_request.reopen
team.update_repository_permission
repo.add_member
environment.create_actions_variable
protected_branch.create
artifact.destroy
repo.update_default_branch
environment.add_protection_rule
repo.update_actions_secret
merge_queue.pull_request_dequeued
required_status_check.destroy
repo.create_actions_secret
environment.update_protection_rule
protected_branch.dismissal_restricted_users_teams
environment.create_actions_secret
workflows.disable_workflow
environment.delete
protected_branch.update_name
pull_request.indirect_merge
repo.rename
environment.create
repository_secret_scanning_push_protection.disable
protected_branch.update_required_status_checks_enforcement_level
workflows.enable_workflow
repository_invitation.create
repo.transfer
protected_branch.update_pull_request_reviews_enforcement_level
protected_branch.update_admin_enforced
repo.transfer_outgoing
repo.remove_member
repository_invitation.accept
repository_secret_scanning.disable
repository_ruleset.update
repo.create_actions_variable
discussion_comment.update
protected_branch.update_require_code_owner_review
repo.archived
repo.remove_actions_secret
repo.access
environment.update_actions_variable
protected_branch.destroy
environment.update_actions_secret
environment.remove_protection_rule
protected_branch.authorized_users_teams
repository_projects_change.disable
team.remove_repository
environment.remove_actions_variable
repo.update_member
protected_branch.update_required_approving_review_count
protected_branch.update_lock_branch_enforcement_level
protected_branch.dismiss_stale_reviews
repository_vulnerability_alert.reintroduce
protected_branch.branch_allowances
repo.add_topic
repository_ruleset.create
org.add_outside_collaborator
packages.package_deleted
repository_vulnerability_alerts.disable
workflows.reject_workflow_job
repo.remove_actions_variable
repository_invitation.cancel
environment.remove_actions_secret
repo.pages_source
repository_vulnerability_alert.dismiss
org.codespaces_trusted_repo_access_granted
commit_comment.destroy
repo.unarchived
protected_branch.update_require_last_push_approval
repo.register_self_hosted_runner
commit_comment.update
repo.update_actions_variable
protected_branch.update_strict_required_status_checks_policy
repo.pages_private
repo.pages_create
packages.package_version_deleted
repo.update_actions_access_settings
hook.active_changed
repository_ruleset.destroy
repo.pages_https_redirect_enabled
repo.pages_cname
repo.remove_self_hosted_runner
merge_queue.update_settings
repo.create_integration_secret
merge_queue.queue_cleared
repo.pages_destroy
discussion_comment.destroy
repository_projects_change.enable
merge_queue.pull_request_queue_jump
repository_vulnerability_alerts.authorized_users_teams
public_key.create
hook.events_changed
public_key.verify
public_key.delete
repo.actions_enabled
project.close
public_key.update
repo.pages_https_redirect_disabled
repository_image.create
repo.remove_topic
protected_branch.update_allow_force_pushes_enforcement_level
repo.restore
repo.set_default_workflow_permissions
repo.set_fork_pr_workflows_policy
repo.set_workflow_permission_can_approve_pr
protected_branch.update_merge_queue_enforcement_level
repo.advanced_security_enabled
repository_image.destroy
repository_secret_scanning.enable

PreviousSuspicious Activity Reported by End User NextUser IP in Blocked State

Last updated 3 months ago

pull_request_review.submit pull_request.create_review_request pull_request.create pull_request.merge protected_branch.rejected_ref_update protected_branch.policy_override pull_request.close pull_request_review.dismiss pull_request.ready_for_review pull_request.rebase repo.update_actions_settings issue_comment.update repo.change_merge_setting repository_vulnerability_alert.resolve actions_cache.delete hook.create pull_request_review_comment.delete pull_request.remove_review_request repo.create repo.download_zip pull_request.converted_to_draft repository_vulnerability_alert.create hook.destroy pull_request_review.delete repo.destroy hook.config_changed team.add_repository issue_comment.destroy packages.package_version_published workflows.approve_workflow_job repository_dependency_graph.enable repository_vulnerability_alerts.enable required_status_check.create repo.rename_branch pull_request.reopen team.update_repository_permission repo.add_member environment.create_actions_variable protected_branch.create artifact.destroy repo.update_default_branch environment.add_protection_rule repo.update_actions_secret merge_queue.pull_request_dequeued required_status_check.destroy repo.create_actions_secret environment.update_protection_rule protected_branch.dismissal_restricted_users_teams environment.create_actions_secret workflows.disable_workflow environment.delete protected_branch.update_name pull_request.indirect_merge repo.rename environment.create repository_secret_scanning_push_protection.disable protected_branch.update_required_status_checks_enforcement_level workflows.enable_workflow repository_invitation.create repo.transfer protected_branch.update_pull_request_reviews_enforcement_level protected_branch.update_admin_enforced repo.transfer_outgoing repo.remove_member repository_invitation.accept repository_secret_scanning.disable repository_ruleset.update repo.create_actions_variable discussion_comment.update protected_branch.update_require_code_owner_review repo.archived repo.remove_actions_secret repo.access environment.update_actions_variable protected_branch.destroy environment.update_actions_secret environment.remove_protection_rule protected_branch.authorized_users_teams repository_projects_change.disable team.remove_repository environment.remove_actions_variable repo.update_member protected_branch.update_required_approving_review_count protected_branch.update_lock_branch_enforcement_level protected_branch.dismiss_stale_reviews repository_vulnerability_alert.reintroduce protected_branch.branch_allowances repo.add_topic repository_ruleset.create org.add_outside_collaborator packages.package_deleted repository_vulnerability_alerts.disable workflows.reject_workflow_job repo.remove_actions_variable repository_invitation.cancel environment.remove_actions_secret repo.pages_source repository_vulnerability_alert.dismiss org.codespaces_trusted_repo_access_granted commit_comment.destroy repo.unarchived protected_branch.update_require_last_push_approval repo.register_self_hosted_runner commit_comment.update repo.update_actions_variable protected_branch.update_strict_required_status_checks_policy repo.pages_private repo.pages_create packages.package_version_deleted repo.update_actions_access_settings hook.active_changed repository_ruleset.destroy repo.pages_https_redirect_enabled repo.pages_cname repo.remove_self_hosted_runner merge_queue.update_settings repo.create_integration_secret merge_queue.queue_cleared repo.pages_destroy discussion_comment.destroy repository_projects_change.enable merge_queue.pull_request_queue_jump repository_vulnerability_alerts.authorized_users_teams public_key.create hook.events_changed public_key.verify public_key.delete repo.actions_enabled project.close public_key.update repo.pages_https_redirect_disabled repository_image.create repo.remove_topic protected_branch.update_allow_force_pushes_enforcement_level repo.restore repo.set_default_workflow_permissions repo.set_fork_pr_workflows_policy repo.set_workflow_permission_can_approve_pr protected_branch.update_merge_queue_enforcement_level repo.advanced_security_enabled repository_image.destroy repository_secret_scanning.enable