For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/default_rules/def-000-g1k.md. A documentation index is available at /llms.txt.

GitHub activity observed from Tor client IP

github-telemetry

Classification:

attack

Tactic:

TA0001-initial-access

Technique:

T1090-proxy

Goal

Detect when GitHub activity is observed from a Tor exit node.

Strategy

This rule monitors GitHub telemetry logs to determine when activity originated from a Tor client. Datadog enriches all ingested logs with expert-curated threat intelligence in real-time. An attacker may use a Tor client to anonymize their true origin when accessing GitHub programmatically.

Triage and response

  • Determine whether {{@github.actor}} from IP address {{@network.client.ip}} has a legitimate reason to access GitHub via Tor.
  • Review the specific actions performed during the session for indicators of reconnaissance, credential misuse, or data access.
  • Check whether this activity coincides with other suspicious signals from the same identity such as secret enumeration or branch protection changes.