GitHub Repository Deleted
This rule detects when a GitHub repository is deleted within your organization. Repositories are a critical component used within an organization to manage work, collaborate with others and release products to the public. Any delete action against a repository should be investigated to determine it's validity. Unauthorized deletion of organization repositories could cause irreversible loss of intellectual property and indicate compromise within your organization.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/08/29"
3integration = ["github"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2023/08/29"
8
9[rule]
10author = ["Elastic"]
11description = """
12This rule detects when a GitHub repository is deleted within your organization.
13Repositories are a critical component used within an organization to manage work,
14collaborate with others and release products to the public. Any delete action against
15a repository should be investigated to determine it's validity. Unauthorized deletion
16of organization repositories could cause irreversible loss of intellectual property and
17indicate compromise within your organization.
18"""
19from = "now-9m"
20index = ["logs-github.audit-*"]
21language = "eql"
22license = "Elastic License v2"
23name = "GitHub Repository Deleted"
24risk_score = 47
25rule_id = "345889c4-23a8-4bc0-b7ca-756bd17ce83b"
26severity = "medium"
27tags = ["Domain: Cloud", "Use Case: Threat Detection", "Tactic: Impact", "Data Source: Github"]
28timestamp_override = "event.ingested"
29type = "eql"
30query = '''
31configuration where event.module == "github" and event.action == "repo.destroy"
32'''
33
34[[rule.threat]]
35framework = "MITRE ATT&CK"
36[[rule.threat.technique]]
37id = "T1485"
38name = "Data Destruction"
39reference = "https://attack.mitre.org/techniques/T1485/"
40
41
42
43[rule.threat.tactic]
44id = "TA0040"
45name = "Impact"
46reference = "https://attack.mitre.org/tactics/TA0040/"
Related rules
- GitHub Protected Branch Settings Changed
- Deleting Backup Catalogs with Wbadmin
- High Number of Process Terminations
- High Number of Process and/or Service Terminations
- Hosts File Modified