GitHub Repository Deleted

This rule detects when a GitHub repository is deleted within your organization. Repositories are a critical component used within an organization to manage work, collaborate with others and release products to the public. Any delete action against a repository should be investigated to determine it's validity. Unauthorized deletion of organization repositories could cause irreversible loss of intellectual property and indicate compromise within your organization.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2023/08/29"
 3integration = ["github"]
 4maturity = "production"
 5updated_date = "2024/05/21"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10This rule detects when a GitHub repository is deleted within your organization. Repositories are a critical component
11used within an organization to manage work, collaborate with others and release products to the public. Any delete
12action against a repository should be investigated to determine it's validity. Unauthorized deletion of organization
13repositories could cause irreversible loss of intellectual property and indicate compromise within your organization.
14"""
15from = "now-9m"
16index = ["logs-github.audit-*"]
17language = "eql"
18license = "Elastic License v2"
19name = "GitHub Repository Deleted"
20risk_score = 47
21rule_id = "345889c4-23a8-4bc0-b7ca-756bd17ce83b"
22severity = "medium"
23tags = [
24    "Domain: Cloud",
25    "Use Case: Threat Detection",
26    "Use Case: UEBA",
27    "Tactic: Impact",
28    "Data Source: Github",
29]
30timestamp_override = "event.ingested"
31type = "eql"
32
33query = '''
34configuration where event.module == "github" and event.action == "repo.destroy"
35'''
36
37
38[[rule.threat]]
39framework = "MITRE ATT&CK"
40[[rule.threat.technique]]
41id = "T1485"
42name = "Data Destruction"
43reference = "https://attack.mitre.org/techniques/T1485/"
44
45
46[rule.threat.tactic]
47id = "TA0040"
48name = "Impact"
49reference = "https://attack.mitre.org/tactics/TA0040/"

Related rules

to-top