Github Delete Action Invoked
Detects delete action in the Github audit logs for codespaces, environment, project and repo.
Sigma rule (View on GitHub)
1title: Github Delete Action Invoked
2id: 16a71777-0b2e-4db7-9888-9d59cb75200b
3status: test
4description: Detects delete action in the Github audit logs for codespaces, environment, project and repo.
5author: Muhammad Faisal (@faisalusuf)
6date: 2023-01-19
7modified: 2026-03-09
8references:
9 - https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#audit-log-actions
10 - https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/security-log-events#codespaces
11tags:
12 - attack.impact
13 - attack.collection
14 - attack.t1213.003
15logsource:
16 product: github
17 service: audit
18 definition: 'Requirements: The audit log streaming feature must be enabled to be able to receive such logs. You can enable following the documentation here: https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-audit-log-streaming'
19detection:
20 selection:
21 action:
22 - 'codespaces.destroy'
23 - 'environment.delete'
24 - 'project.delete'
25 - 'repo.destroy'
26 condition: selection
27falsepositives:
28 - Validate the deletion activity is permitted. The "actor" field need to be validated.
29level: medium
References
-
The audit log allows organization admins to quickly review the actions performed by members of your organization. It includes details such as who performed the action, what the action was, and when it was performed.
Read More -
Related rules
- Bitbucket Full Data Export Triggered
- Bitbucket Unauthorized Full Data Export Triggered
- Github Outside Collaborator Detected
- ISATAP Router Address Was Set
- Okta API Token Revoked