Github Repository/Organization Transferred

Detects when a repository or an organization is being transferred to another location.

Sigma rule (View on GitHub)

 1title: Github Repository/Organization Transferred
 2id: 04ad83ef-1a37-4c10-b57a-81092164bf33
 3status: experimental
 4description: Detects when a repository or an organization is being transferred to another location.
 5references:
 6    - https://docs.github.com/en/repositories/creating-and-managing-repositories/transferring-a-repository
 7    - https://docs.github.com/en/organizations/managing-organization-settings/transferring-organization-ownership
 8    - https://docs.github.com/en/migrations
 9    - https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#migration
10author: Romain Gaillard (@romain-gaillard)
11date: 2024-07-29
12tags:
13    - attack.persistence
14    - attack.t1020
15    - attack.t1537
16logsource:
17    product: github
18    service: audit
19    definition: 'Requirements: The audit log streaming feature must be enabled to be able to receive such logs. You can enable following the documentation here: https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-audit-log-streaming'
20detection:
21    selection:
22        action:
23            - 'migration.create' # A migration file was created for transferring data from a source location (such as a GitHub.com organization or a GitHub Enterprise Server instance) to a target GitHub Enterprise Server instance.
24            - 'org.transfer_outgoing' # An organization was transferred between enterprise accounts.
25            - 'org.transfer' # An organization was transferred between enterprise accounts.
26            - 'repo.transfer_outgoing' # A repository was transferred to another repository network.
27    condition: selection
28falsepositives:
29    - Allowed administrative activities.
30level: medium

References

Related rules

to-top