GitHub Repository Deleted
This rule detects when a GitHub repository is deleted within your organization. Repositories are a critical component used within an organization to manage work, collaborate with others and release products to the public. Any delete action against a repository should be investigated to determine it's validity. Unauthorized deletion of organization repositories could cause irreversible loss of intellectual property and indicate compromise within your organization.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/08/29"
3integration = ["github"]
4maturity = "production"
5updated_date = "2025/01/15"
6min_stack_version = "8.13.0"
7min_stack_comments = "Breaking change at 8.13.0 for the Github Integration."
8
9[rule]
10author = ["Elastic"]
11description = """
12This rule detects when a GitHub repository is deleted within your organization. Repositories are a critical component
13used within an organization to manage work, collaborate with others and release products to the public. Any delete
14action against a repository should be investigated to determine it's validity. Unauthorized deletion of organization
15repositories could cause irreversible loss of intellectual property and indicate compromise within your organization.
16"""
17from = "now-9m"
18index = ["logs-github.audit-*"]
19language = "eql"
20license = "Elastic License v2"
21name = "GitHub Repository Deleted"
22risk_score = 47
23rule_id = "345889c4-23a8-4bc0-b7ca-756bd17ce83b"
24severity = "medium"
25tags = [
26 "Domain: Cloud",
27 "Use Case: Threat Detection",
28 "Use Case: UEBA",
29 "Tactic: Impact",
30 "Data Source: Github",
31 "Resources: Investigation Guide",
32]
33timestamp_override = "event.ingested"
34type = "eql"
35
36query = '''
37configuration where event.module == "github" and event.dataset == "github.audit" and event.action == "repo.destroy"
38'''
39note = """## Triage and analysis
40
41> **Disclaimer**:
42> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
43
44### Investigating GitHub Repository Deleted
45GitHub repositories are essential for managing code and collaboration within organizations. Adversaries may exploit this by deleting repositories to disrupt operations or erase critical data, potentially indicating a security breach. The detection rule monitors GitHub audit logs for repository deletion events, enabling analysts to swiftly identify and investigate unauthorized actions, thereby mitigating potential data loss and compromise.
46
47### Possible investigation steps
48
49- Review the GitHub audit logs to confirm the repository deletion event by checking for entries where event.module is "github", event.dataset is "github.audit", and event.action is "repo.destroy".
50- Identify the user account associated with the deletion event and verify their access permissions and recent activity to determine if the action was authorized.
51- Contact the user or team responsible for the repository to confirm whether the deletion was intentional and documented.
52- Check for any recent changes in user access or permissions that could indicate a compromised account or unauthorized access.
53- Investigate any other suspicious activities or alerts related to the same user or repository around the time of the deletion event to identify potential patterns of malicious behavior.
54- Assess the impact of the repository deletion on ongoing projects and data availability, and initiate recovery procedures if necessary.
55
56### False positive analysis
57
58- Routine repository clean-up activities by authorized personnel may trigger alerts. To manage this, maintain a list of users or teams responsible for such tasks and create exceptions for their actions.
59- Automated scripts or tools used for repository management might delete repositories as part of their normal operation. Identify these scripts and exclude their actions from triggering alerts by using specific identifiers or tags.
60- Test or temporary repositories that are frequently created and deleted during development cycles can cause false positives. Implement naming conventions for these repositories and configure the rule to ignore deletions matching these patterns.
61- Scheduled repository deletions as part of a lifecycle management policy can be mistaken for unauthorized actions. Document these schedules and adjust the detection rule to accommodate these planned activities.
62
63### Response and remediation
64
65- Immediately revoke access for any user account associated with the unauthorized repository deletion to prevent further malicious actions.
66- Restore the deleted repository from backups or snapshots, if available, to recover lost data and minimize operational disruption.
67- Conduct a thorough review of recent access logs and user activities to identify any other suspicious actions or potential indicators of compromise.
68- Notify the security team and relevant stakeholders about the incident to ensure coordinated response efforts and awareness.
69- Implement additional access controls, such as multi-factor authentication and role-based access, to prevent unauthorized deletions in the future.
70- Escalate the incident to higher management and legal teams if intellectual property theft or significant data loss is suspected.
71- Enhance monitoring and alerting mechanisms to detect similar unauthorized actions promptly, leveraging the MITRE ATT&CK framework for guidance on potential threat vectors."""
72
73
74[[rule.threat]]
75framework = "MITRE ATT&CK"
76[[rule.threat.technique]]
77id = "T1485"
78name = "Data Destruction"
79reference = "https://attack.mitre.org/techniques/T1485/"
80
81
82[rule.threat.tactic]
83id = "TA0040"
84name = "Impact"
85reference = "https://attack.mitre.org/tactics/TA0040/"
Triage and analysis
Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
Investigating GitHub Repository Deleted
GitHub repositories are essential for managing code and collaboration within organizations. Adversaries may exploit this by deleting repositories to disrupt operations or erase critical data, potentially indicating a security breach. The detection rule monitors GitHub audit logs for repository deletion events, enabling analysts to swiftly identify and investigate unauthorized actions, thereby mitigating potential data loss and compromise.
Possible investigation steps
- Review the GitHub audit logs to confirm the repository deletion event by checking for entries where event.module is "github", event.dataset is "github.audit", and event.action is "repo.destroy".
- Identify the user account associated with the deletion event and verify their access permissions and recent activity to determine if the action was authorized.
- Contact the user or team responsible for the repository to confirm whether the deletion was intentional and documented.
- Check for any recent changes in user access or permissions that could indicate a compromised account or unauthorized access.
- Investigate any other suspicious activities or alerts related to the same user or repository around the time of the deletion event to identify potential patterns of malicious behavior.
- Assess the impact of the repository deletion on ongoing projects and data availability, and initiate recovery procedures if necessary.
False positive analysis
- Routine repository clean-up activities by authorized personnel may trigger alerts. To manage this, maintain a list of users or teams responsible for such tasks and create exceptions for their actions.
- Automated scripts or tools used for repository management might delete repositories as part of their normal operation. Identify these scripts and exclude their actions from triggering alerts by using specific identifiers or tags.
- Test or temporary repositories that are frequently created and deleted during development cycles can cause false positives. Implement naming conventions for these repositories and configure the rule to ignore deletions matching these patterns.
- Scheduled repository deletions as part of a lifecycle management policy can be mistaken for unauthorized actions. Document these schedules and adjust the detection rule to accommodate these planned activities.
Response and remediation
- Immediately revoke access for any user account associated with the unauthorized repository deletion to prevent further malicious actions.
- Restore the deleted repository from backups or snapshots, if available, to recover lost data and minimize operational disruption.
- Conduct a thorough review of recent access logs and user activities to identify any other suspicious actions or potential indicators of compromise.
- Notify the security team and relevant stakeholders about the incident to ensure coordinated response efforts and awareness.
- Implement additional access controls, such as multi-factor authentication and role-based access, to prevent unauthorized deletions in the future.
- Escalate the incident to higher management and legal teams if intellectual property theft or significant data loss is suspected.
- Enhance monitoring and alerting mechanisms to detect similar unauthorized actions promptly, leveraging the MITRE ATT&CK framework for guidance on potential threat vectors.
Related rules
- GitHub Owner Role Granted To User
- GitHub UEBA - Multiple Alerts from a GitHub Account
- High Number of Cloned GitHub Repos From PAT
- New GitHub Owner Added
- AWS RDS DB Instance or Cluster Deletion Protection Disabled