GitHub Repo switched from private to public

Hunt Hypothesis

Adversaries may convert private GitHub repositories to public to exfiltrate sensitive data or distribute malicious code by exploiting public visibility. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential data leaks or malware distribution channels.

KQL Query

GitHubAudit
| where Action == "repo.access"
| where OperationType == "MODIFY"
| where Visibility == "PUBLIC" 
| project TimeGenerated, Action, Actor, Country, Repository, Visibility

Analytic Rule Definition

id: a6e2afd3-559c-4e88-a693-39c1f6789ef1
name: GitHub Repo switched from private to public
description: |
  'This hunting query identifies GitHub activites where a repo was changed from private to public that may be a sign of compromise.'
requiredDataConnectors: []
tactics:
  - Collection
relevantTechniques:
  - T1213
query: |

  GitHubAudit
  | where Action == "repo.access"
  | where OperationType == "MODIFY"
  | where Visibility == "PUBLIC" 
  | project TimeGenerated, Action, Actor, Country, Repository, Visibility

MITRE ATT&CK Context

• Tactic: Collection
• Technique: T1213 — T1213

References

• [Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/GitHub/Repository Permission Switched to Public.yaml)

False Positive Guidance

• Scenario: Scheduled CI/CD Pipeline Job Updates Repo Visibility
  Description: A legitimate CI/CD pipeline (e.g., GitHub Actions) may automatically update a repository’s visibility as part of a deployment or configuration change.
  Filter/Exclusion: github_event_type != "repo_visibility_change" OR actor != "github-actions"

• Scenario: Admin Task to Promote Repo to Public for Collaboration
  Description: A system administrator or team lead may switch a private repo to public to allow external collaborators or partners to access it.
  Filter/Exclusion: actor_type == "admin" OR repo_owner == "internal-team"

• Scenario: GitHub Pages Site Deployment Changes Repo Visibility
  Description: A GitHub Pages site may be configured to use a private repo, and during deployment, the repo is temporarily set to public.
  Filter/Exclusion: action == "pages_build" OR repo_name contains "pages"

• Scenario: Automated Backup Tool Syncs to Public Repo
  Description: A backup tool (e.g., rsync, backupify, or Duplicity) may push backups to a public GitHub repo for archival purposes.
  Filter/Exclusion: source_ip in internal_networks OR tool_used == "backupify"

• Scenario: User Mistakenly Changes Repo Visibility
  Description: A user may accidentally change a private repo to public while testing or during a configuration change.
  Filter/Exclusion: user_agent contains "mobile" OR change_reason == "user_error"