GitHub Repository Deleted

 1[metadata]
 2creation_date = "2023/08/29"
 3integration = ["github"]
 4maturity = "production"
 5updated_date = "2024/12/10"
 6min_stack_version = "8.13.0"
 7min_stack_comments = "Breaking change at 8.13.0 for the Github Integration."
 8
 9[rule]
10author = ["Elastic"]
11description = """
12This rule detects when a GitHub repository is deleted within your organization. Repositories are a critical component
13used within an organization to manage work, collaborate with others and release products to the public. Any delete
14action against a repository should be investigated to determine it's validity. Unauthorized deletion of organization
15repositories could cause irreversible loss of intellectual property and indicate compromise within your organization.
16"""
17from = "now-9m"
18index = ["logs-github.audit-*"]
19language = "eql"
20license = "Elastic License v2"
21name = "GitHub Repository Deleted"
22risk_score = 47
23rule_id = "345889c4-23a8-4bc0-b7ca-756bd17ce83b"
24severity = "medium"
25tags = [
26    "Domain: Cloud",
27    "Use Case: Threat Detection",
28    "Use Case: UEBA",
29    "Tactic: Impact",
30    "Data Source: Github",
31]
32timestamp_override = "event.ingested"
33type = "eql"
34
35query = '''
36configuration where event.module == "github" and event.dataset == "github.audit" and event.action == "repo.destroy"
37'''
38
39
40[[rule.threat]]
41framework = "MITRE ATT&CK"
42[[rule.threat.technique]]
43id = "T1485"
44name = "Data Destruction"
45reference = "https://attack.mitre.org/techniques/T1485/"
46
47
48[rule.threat.tactic]
49id = "TA0040"
50name = "Impact"
51reference = "https://attack.mitre.org/tactics/TA0040/"