GitHub Repository Deleted

 1[metadata]
 2creation_date = "2023/08/29"
 3integration = ["github"]
 4maturity = "production"
 5updated_date = "2024/05/21"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10This rule detects when a GitHub repository is deleted within your organization. Repositories are a critical component
11used within an organization to manage work, collaborate with others and release products to the public. Any delete
12action against a repository should be investigated to determine it's validity. Unauthorized deletion of organization
13repositories could cause irreversible loss of intellectual property and indicate compromise within your organization.
14"""
15from = "now-9m"
16index = ["logs-github.audit-*"]
17language = "eql"
18license = "Elastic License v2"
19name = "GitHub Repository Deleted"
20risk_score = 47
21rule_id = "345889c4-23a8-4bc0-b7ca-756bd17ce83b"
22severity = "medium"
23tags = [
24    "Domain: Cloud",
25    "Use Case: Threat Detection",
26    "Use Case: UEBA",
27    "Tactic: Impact",
28    "Data Source: Github",
29]
30timestamp_override = "event.ingested"
31type = "eql"
32
33query = '''
34configuration where event.module == "github" and event.action == "repo.destroy"
35'''
36
37
38[[rule.threat]]
39framework = "MITRE ATT&CK"
40[[rule.threat.technique]]
41id = "T1485"
42name = "Data Destruction"
43reference = "https://attack.mitre.org/techniques/T1485/"
44
45
46[rule.threat.tactic]
47id = "TA0040"
48name = "Impact"
49reference = "https://attack.mitre.org/tactics/TA0040/"