LoFP LoFP / t1213

t1213

TitleTags
a self-hosted runner is automatically removed from github if it has not connected to github actions for more than 14 days.
allowed self-hosted runners changes in the environment.
an ephemeral self-hosted runner is automatically removed from github if it has not connected to github actions for more than 1 day.
if the user is a developer or automation engineer, validate if this behavior was for testing purposes.
legitimate non-interactive access to sharepoint online via the microsoft authentication broker may occur in enterprise environments, especially with mdm solutions or automated scripts. however, this should be explicitly allowed and monitored.
legitimate user activity.
some enterprise mdm or brokered flows may use refresh tokens legitimately (especially with hybrid/azure ad joined devices). automated scripts for legitimate tasks (e.g., reporting, backups) might use `python-requests`, though this should be explicitly allowed.
unlikely
validate the actor if permitted to access the repo.
validate the deletion activity is permitted. the \"actor\" field need to be validated.
validate the multifactor authentication changes.