LoFP LoFP / t1526

t1526

TitleTags
a self-hosted runner is automatically removed from github if it has not connected to github actions for more than 14 days.
access level modifications may be done by a system or network administrator. verify whether the username, hostname, and/or resource name should be making changes in your environment. access level modifications from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
allowed self-hosted runners changes in the environment.
an ephemeral self-hosted runner is automatically removed from github if it has not connected to github actions for more than 1 day.
not all unauthenticated requests are malicious, but frequency, ua and source ips and direct request to api provide context.
not all unauthenticated requests are malicious, but frequency, user agent and source ips will provide context.
not all unauthenticated requests are malicious, but frequency, user agent, source ips and pods will provide context.
not all unauthenticated requests are malicious, but source ips, useragent, verb, request uri and response status will provide context.
unlikely
while this search has no known false positives.