# Hunting in GitHub GitHub is the de facto center of the universe for many organization's development processes... which also makes it a primary system to monitor for security threats and strange activity. Let's do some threat hunting (and detection engineering) to get a handle on GitHub usage. {% hint style="info" %} Throughout this document, we'll list audit logs of interest you can use as part of your hunting. There's a longer list at the bottom, but the ones listed in the main part of the writeup are some of the logs we've found most useful. {% endhint %} ## Thoughts on GitHub ### What's your username? The culture of development in GitHub is a bit outside the norm for corporate SaaS products. While nearly every other B2B SaaS tool follows a very standard "Corporate identity" -> "Provision an account using that identity" path, GitHub allows corporations to let developers use whatever their existing GitHub ID is to access corp repositories. In fact, GitHub uses a username instead of an email as its primary identifier (what is this, 1998?). Some companies force employees to use new, clean ID's tied to their corporate email, but some allow employees to use their personal ID's. How your company handles GitHub identities (and authentication) will drive how you hunt in GitHub. You can even find where people are loging in from ( `user.login` )and if someone has turned off MFA ( `two_factor_authentication.disabled` a big 🚨) ## What's in GitHub GitHub is a software repository system. But there's so so much more than code in GitHub ### Workflows Workflows, webhooks, and automations are the backbone of the modern CI/CD pipeline. You may have a relatively simple repository but fantastically complicated workflows that allow your developers to create, test, and deploy code at (terrifying) speed. That's cool and all, but workflows are a window into your CI/CD pipeline. There are many examples (including this [CISA Advisory](https://www.cisa.gov/news-events/alerts/2025/03/18/supply-chain-compromise-third-party-tj-actionschanged-files-cve-2025-30066-and-reviewdogaction) and this [MS writeup on Shai Hulud](https://www.microsoft.com/en-us/security/blog/2025/12/09/shai-hulud-2-0-guidance-for-detecting-investigating-and-defending-against-the-supply-chain-attack/)) where workflows have been subverted by attackers and bad things happened. Pay attention to new workflows ( `workflows.created` ) and webhooks ( `hook.create`, `hook.config_changed` ) and dig into unknown/new ones. ### Tokens Even if you use SSO, GitHub can still contain sensitive authentication credentials. While ideally your code doesn't have hardcoded passwords, GitHub accounts may have the ability to create Personal Access Tokens (PAT). PAT's are like API keys... they grant access to everything a user has access to without need for MFA or forced rotation. Finding when PATs are created an used can be a super useful hunt ( `personal_access_token.create`, `personal_access_token.access` )... and in fact, you should alert every time a PAT is created to make sure it's something allowed and intended. ### OAuth connections in and out OAuth enables the powerful feature of SaaS apps to connect seamlessly to each other. They're also super dangerous and hard to wrap your arms around. GitHub audit records provide some telemetry around OAuth connections and usage ( `integration_installation.create`, `org_credential_authorization.grant` ), and digging into them can help uncover malicious (or at least unwanted) activity. ### Well, and of course, code Don't underestimate the value of your software. From both an IP perspective and security perspective, your software is valuable. Looking at who has access ( `repo.add_member` ), who is downloading repos ( `repo.download_zip`, `git.fetch`, `git.clone` ), and what repositories are accessed can be a great place to start a hunt. ## How and what to look for GitHub's audit log interface is free to use if you're a GitHub Enterprise customer and available at or by going to your enterprise Settings page and clicking "Audit Log." Their interface is servicable but pretty linear.
They have their own syntax and if you really know what you're looking for, you can find it. Conversely... ### USE TURNGATE Seriously, we're way easier to you. Here's a query of all pull request activity in the last month, that I used to pivot to focus on the activity of one developer and validate all the work they did from an unknown IP address. The whole hunt took about 45 seconds.
We have a [45 day free trial](https://www.turngate.io/get-started). Go check us out. You won't be disappointed. ### GitHub audit events GitHub has [documentation on their audit logs](https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization) including how to access them and what they mean. Unfortunately, even GitHub's definitions can be a bit tough to wrap your head around. You're in luck because Turngate has summaries in the application to help you make sense of the data you're seeing.
Pretty cool, huh? ### Audit events of interest Here's a longer list of audit events to get your started on your hunting journey. **OAuth & Access Token Events:** * `oauth_application.create` - New OAuth apps that could exfiltrate data * `oauth_application.transfer` - OAuth app ownership changes * `oauth_authorization.create` - Suspicious OAuth authorizations, especially from unfamiliar applications * `personal_access_token.create` - New PAT creation, especially with broad scopes * `personal_access_token.access` - PAT usage patterns (look for anomalous IPs/locations) * `user.login` - Failed login attempts or logins from unusual locations * `two_factor_authentication.disabled` - 2FA being turned off (major red flag) **SSH & Deploy Key Events:** * `public_key.create` - New SSH keys added to user accounts * `public_key.update` - Modified SSH keys * `deploy_key.create` - Deploy keys with write access to repositories ### **Data Exfiltration & Repository Tampering** **Repository Visibility & Access:** * `repo.access` - Repository access events, especially bulk downloads * `repo.create` - New repository creation (could be staging for exfiltration) * `repo.destroy` - Repository deletion (potential evidence destruction) * `repo.archived` - Archiving repositories * `repo.transferred` - Repository ownership transfers * `repo.config.disable_anonymous_git_access` - Changing anonymous access settings * `private_repository_forking.enable` - Allowing private repo forks (exfiltration risk) **Branch Protection Bypasses:** * `protected_branch.destroy` - Removing branch protections * `protected_branch.update_admin_enforced` - Disabling admin enforcement * `protected_branch.dismiss_stale_reviews` - Weakening review requirements * `protected_branch.policy_override` - Admin bypass of branch protection * `repo.remove_member` - Removing collaborators who might notice malicious activity ### **Privilege Escalation & Permission Changes** **Organization & Team Permissions:** * `org.add_member` - New members added, especially with admin roles * `org.update_member` - Permission level changes (member → admin) * `org.remove_member` - Removing security team members * `team.add_member` - Adding users to privileged teams * `team.add_repository` - Granting team access to sensitive repos * `team.create` - New team creation with elevated permissions * `org_credential_authorization.grant` - Granting SSO credential authorizations **Repository Collaborators:** * `repo.add_member` - New collaborators with write/admin access * `repo.update_member` - Collaborator permission escalation * `integration_installation.create` - Installing third-party integrations with broad permissions * `integration_installation_request.create` - Requests to install potentially malicious apps ### **Code Injection & Supply Chain Attacks** **Actions & Workflows:** * `workflows.created` - New GitHub Actions workflows (could contain malicious code) * `workflows.updated` - Modified workflows (backdoor injection) * `workflow_run.requested` - Workflow execution patterns * `repo_secret_scanning_push_protection_bypass.create` - Bypassing secret push protection * `environment.create_actions_secret` - Secrets added to environments * `environment.remove_actions_secret` - Secrets removed (potential theft) **Dependency & Package Events:** * `packages.published` - Package publications to GitHub Packages * `packages.updated` - Package updates that could introduce malicious dependencies * `repo.packages_permission_change` - Changes to package permissions ### **Webhook & Integration Abuse** **Webhook Events:** * `hook.create` - New webhooks (data exfiltration channel) * `hook.config_changed` - Webhook URL/configuration changes * `hook.destroy` - Webhook deletion (covering tracks) * `integration_installation.create` - Third-party app installations * `marketplace_agreement_signature.create` - GitHub Marketplace app agreements ### **Audit Trail Tampering** **Audit & Compliance:** * `audit_log_streaming.update` - Changes to audit log streaming configuration * `audit_log_streaming.destroy` - Disabling audit log streaming * `business.update_member_repository_creation_permission` - Changes allowing repo creation * `ip_allow_list_entry.create/destroy` - IP allowlist modifications ### **Suspicious Patterns to Detect** **Velocity-based Anomalies:** * Bulk `repo.access` events in short timeframes (mass cloning) * Multiple `repo.create` + `repo.transfer` sequences (lateral movement) * Rapid `org.add_member` + `org.update_member` (privilege escalation chain) * Sequential `protected_branch.destroy` across multiple repositories **Time-based Anomalies:** * Events occurring during off-hours or unusual timezones * `user.login` from multiple geolocations in impossible timeframes * Actions immediately after `oauth_authorization.create` (compromised OAuth) **Correlation Patterns:** * `two_factor_authentication.disabled` followed by `user.login` from new location * `protected_branch.destroy` → code push → `protected_branch.create` (covering tracks) * `secret_scanning.disable` → large commits → `secret_scanning.enable` * `repo.add_member` with admin + `repo.transfer` + `org.remove_member` (repository theft) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://support.turngate.io/detections-and-hunting/hunting-in-github.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.