GitHub Private Repository Turned Public

 1[metadata]
 2creation_date = "2023/12/16"
 3integration = ["github"]
 4maturity = "production"
 5updated_date = "2025/12/16"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Detects when a private GitHub repository is changed to public visibility. Adversaries may change repository
11visibility to public in order to exfiltrate sensitive code or data, potentially indicating a compromise or
12unauthorized access.
13"""
14from = "now-9m"
15index = ["logs-github.audit-*"]
16language = "eql"
17license = "Elastic License v2"
18name = "GitHub Private Repository Turned Public"
19risk_score = 21
20rule_id = "8c707e4c-bd20-4ff4-bda5-4dc3b34ce298"
21severity = "low"
22tags = [
23    "Domain: Cloud",
24    "Use Case: Threat Detection",
25    "Tactic: Exfiltration",
26    "Tactic: Impact",
27    "Data Source: Github",
28]
29timestamp_override = "event.ingested"
30type = "eql"
31query = '''
32configuration where event.dataset == "github.audit" and github.operation_type == "modify" and github.category == "repo" and
33event.action == "repo.access" and github.previous_visibility == "private" and github.visibility == "public"
34'''
35
36[[rule.threat]]
37framework = "MITRE ATT&CK"
38
39[[rule.threat.technique]]
40id = "T1020"
41name = "Automated Exfiltration"
42reference = "https://attack.mitre.org/techniques/T1020/"
43
44[[rule.threat.technique]]
45id = "T1567"
46name = "Exfiltration Over Web Service"
47reference = "https://attack.mitre.org/techniques/T1567/"
48
49[[rule.threat.technique.subtechnique]]
50id = "T1567.001"
51name = "Exfiltration to Code Repository"
52reference = "https://attack.mitre.org/techniques/T1567/001/"
53
54[rule.threat.tactic]
55id = "TA0010"
56name = "Exfiltration"
57reference = "https://attack.mitre.org/tactics/TA0010/"
58
59[[rule.threat]]
60framework = "MITRE ATT&CK"
61
62[rule.threat.tactic]
63id = "TA0040"
64name = "Impact"
65reference = "https://attack.mitre.org/tactics/TA0040/"