GitHub App Deleted

Detects the deletion of a GitHub app either from a repo or an organization.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2023/10/11"
 3integration = ["github"]
 4maturity = "production"
 5updated_date = "2025/01/15"
 6min_stack_version = "8.13.0"
 7min_stack_comments = "Breaking change at 8.13.0 for the Github Integration."
 8
 9[rule]
10author = ["Elastic"]
11description = "Detects the deletion of a GitHub app either from a repo or an organization.\n"
12from = "now-9m"
13index = ["logs-github.audit-*"]
14language = "eql"
15license = "Elastic License v2"
16name = "GitHub App Deleted"
17risk_score = 21
18rule_id = "fd01b949-81be-46d5-bcf8-284395d5f56d"
19severity = "low"
20tags = ["Domain: Cloud", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Github", "Resources: Investigation Guide"]
21timestamp_override = "event.ingested"
22type = "eql"
23
24query = '''
25configuration where event.dataset == "github.audit" and github.category == "integration_installation" and event.type == "deletion"
26'''
27note = """## Triage and analysis
28
29> **Disclaimer**:
30> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
31
32### Investigating GitHub App Deleted
33
34GitHub Apps are integrations that extend GitHub's functionality, often used to automate workflows or manage repositories. Adversaries might delete these apps to disrupt operations or remove security controls. The detection rule monitors audit logs for app deletions, flagging potential unauthorized actions. By focusing on specific event types and categories, it helps identify suspicious deletions that could indicate malicious activity.
35
36### Possible investigation steps
37
38- Review the audit logs for the specific event type "deletion" within the "integration_installation" category to identify the exact GitHub app that was deleted.
39- Determine the user or account responsible for the deletion by examining the associated user information in the audit logs.
40- Check the timing of the deletion event to see if it coincides with any other suspicious activities or anomalies in the repository or organization.
41- Investigate the role and permissions of the user who performed the deletion to assess if they had legitimate access and authorization to delete the app.
42- Look into the history of the deleted GitHub app to understand its purpose, usage, and any dependencies it might have had within the organization or repository.
43- Communicate with the team or organization members to verify if the deletion was intentional and authorized, or if it was unexpected and potentially malicious.
44
45### False positive analysis
46
47- Routine maintenance or updates by authorized personnel can trigger app deletions. Verify with the team responsible for GitHub app management to confirm if the deletion was planned.
48- Automated scripts or tools used for managing GitHub apps might inadvertently delete apps during updates or reconfigurations. Review the scripts and ensure they have proper safeguards to prevent accidental deletions.
49- Organizational policy changes might lead to the removal of certain apps. Check if there have been recent policy updates that could explain the deletion.
50- Exclude specific users or service accounts known to perform legitimate app deletions regularly by creating exceptions in the detection rule.
51- Monitor for patterns of deletions that align with scheduled maintenance windows and adjust the rule to ignore these timeframes if they consistently result in false positives.
52
53### Response and remediation
54
55- Immediately revoke any compromised credentials or tokens associated with the deleted GitHub app to prevent unauthorized access.
56- Restore the deleted GitHub app from a backup or re-install it to ensure continuity of operations and security controls.
57- Conduct a thorough review of recent changes and activities in the affected repositories or organization to identify any unauthorized actions or data alterations.
58- Notify the security team and relevant stakeholders about the incident to ensure awareness and coordinated response efforts.
59- Implement additional monitoring on the affected repositories or organization to detect any further suspicious activities or attempts to delete apps.
60- Review and tighten permissions for GitHub apps to ensure only authorized personnel have the ability to delete or modify app installations.
61- Escalate the incident to higher-level security management if there is evidence of a broader compromise or if the deletion is part of a larger attack campaign."""
62
63
64[[rule.threat]]
65framework = "MITRE ATT&CK"
66[[rule.threat.technique]]
67id = "T1648"
68name = "Serverless Execution"
69reference = "https://attack.mitre.org/techniques/T1648/"
70
71
72[rule.threat.tactic]
73id = "TA0002"
74name = "Execution"
75reference = "https://attack.mitre.org/tactics/TA0002/"
...
toml

Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.

GitHub Apps are integrations that extend GitHub's functionality, often used to automate workflows or manage repositories. Adversaries might delete these apps to disrupt operations or remove security controls. The detection rule monitors audit logs for app deletions, flagging potential unauthorized actions. By focusing on specific event types and categories, it helps identify suspicious deletions that could indicate malicious activity.

  • Review the audit logs for the specific event type "deletion" within the "integration_installation" category to identify the exact GitHub app that was deleted.
  • Determine the user or account responsible for the deletion by examining the associated user information in the audit logs.
  • Check the timing of the deletion event to see if it coincides with any other suspicious activities or anomalies in the repository or organization.
  • Investigate the role and permissions of the user who performed the deletion to assess if they had legitimate access and authorization to delete the app.
  • Look into the history of the deleted GitHub app to understand its purpose, usage, and any dependencies it might have had within the organization or repository.
  • Communicate with the team or organization members to verify if the deletion was intentional and authorized, or if it was unexpected and potentially malicious.
  • Routine maintenance or updates by authorized personnel can trigger app deletions. Verify with the team responsible for GitHub app management to confirm if the deletion was planned.
  • Automated scripts or tools used for managing GitHub apps might inadvertently delete apps during updates or reconfigurations. Review the scripts and ensure they have proper safeguards to prevent accidental deletions.
  • Organizational policy changes might lead to the removal of certain apps. Check if there have been recent policy updates that could explain the deletion.
  • Exclude specific users or service accounts known to perform legitimate app deletions regularly by creating exceptions in the detection rule.
  • Monitor for patterns of deletions that align with scheduled maintenance windows and adjust the rule to ignore these timeframes if they consistently result in false positives.
  • Immediately revoke any compromised credentials or tokens associated with the deleted GitHub app to prevent unauthorized access.
  • Restore the deleted GitHub app from a backup or re-install it to ensure continuity of operations and security controls.
  • Conduct a thorough review of recent changes and activities in the affected repositories or organization to identify any unauthorized actions or data alterations.
  • Notify the security team and relevant stakeholders about the incident to ensure awareness and coordinated response efforts.
  • Implement additional monitoring on the affected repositories or organization to detect any further suspicious activities or attempts to delete apps.
  • Review and tighten permissions for GitHub apps to ensure only authorized personnel have the ability to delete or modify app installations.
  • Escalate the incident to higher-level security management if there is evidence of a broader compromise or if the deletion is part of a larger attack campaign.

Related rules

to-top