GitHub Repository Deleted

 1[metadata]
 2creation_date = "2023/08/29"
 3integration = ["github"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7updated_date = "2023/12/14"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12This rule detects when a GitHub repository is deleted within your organization. 
13Repositories are a critical component used within an organization to manage work, 
14collaborate with others and release products to the public. Any delete action against 
15a repository should be investigated to determine it's validity. Unauthorized deletion 
16of organization repositories could cause irreversible loss of intellectual property and 
17indicate compromise within your organization.
18"""
19from = "now-9m"
20index = ["logs-github.audit-*"]
21language = "eql"
22license = "Elastic License v2"
23name = "GitHub Repository Deleted"
24risk_score = 47
25rule_id = "345889c4-23a8-4bc0-b7ca-756bd17ce83b"
26severity = "medium"
27tags = ["Domain: Cloud", 
28        "Use Case: Threat Detection", 
29        "Use Case: UEBA",        
30        "Tactic: Impact", 
31        "Data Source: Github"
32        ]
33timestamp_override = "event.ingested"
34type = "eql"
35query = '''
36configuration where event.module == "github" and event.action == "repo.destroy"
37'''
38
39[[rule.threat]]
40framework = "MITRE ATT&CK"
41[[rule.threat.technique]]
42id = "T1485"
43name = "Data Destruction"
44reference = "https://attack.mitre.org/techniques/T1485/"
45
46
47
48[rule.threat.tactic]
49id = "TA0040"
50name = "Impact"
51reference = "https://attack.mitre.org/tactics/TA0040/"