Skip to main content

GitHub IP allow list modified

ID:github_ip_allow_list_modified
Data type:GitHub
Severity:
Low
MITRE ATT&CK:TA0005:T1562

Description

AlphaSOC detected that a GitHub IP allow list was modified. GitHub IP allow list controls which IP addresses can access an organization's resources. Threat actors may modify it to bypass security controls that restrict access based on IP addresses.

Impact

Modification of IP allow lists can enable unauthorized access to sensitive repositories and organizational resources within GitHub environment. This can lead to data exfiltration, code tampering, potential blocking of access to the system for legitimate users, or other malicious activities.

Severity

SeverityCondition
Low
GitHub IP allow list modified

Investigation and Remediation

Review GitHub audit logs to identify who made the IP allow list changes and verify whether these modifications were authorized. If unauthorized, revert the IP allow list to its previous state, rotate credentials for potentially compromised accounts, and conduct a thorough security audit for other signs of potential compromise.