This detection rule monitors GitHub activity specifically targeting private repositories accessed from unusual or unfamiliar IP addresses. The rising trend of adversaries exploiting private repositories for sensitive code exfiltration has led to the necessity for vigilance against unauthorized accesses. The rule employs Kibana’s Query Language (kuery) to search logs pertaining to GitHub audits, focusing on actions such as `git.push` or `git.clone` that are performed only on private repositories (as indicated by `github.repository_public:false`). A risk score of 21 is assigned to this detection, and alerts are generated when an event is triggered, indicating potentially malicious behavior over the past nine months. The use of this rule is pertinent especially due to the increase in sophisticated supply chain attacks targeting code repositories, making its implementation crucial for protecting sensitive assets. Guidance is further enhanced through an accompanying investigation guide provided in the tags.