Github Repository/Organization Transferred

Detects when a repository or an organization is being transferred to another location.

Sigma rule (View on GitHub)

 1title: Github Repository/Organization Transferred
 2id: 04ad83ef-1a37-4c10-b57a-81092164bf33
 3status: test
 4description: Detects when a repository or an organization is being transferred to another location.
 5references:
 6    - https://docs.github.com/en/repositories/creating-and-managing-repositories/transferring-a-repository
 7    - https://docs.github.com/en/organizations/managing-organization-settings/transferring-organization-ownership
 8    - https://docs.github.com/en/migrations
 9    - https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#migration
10author: Romain Gaillard (@romain-gaillard)
11date: 2024-07-29
12tags:
13    - attack.persistence
14    - attack.exfiltration
15    - attack.t1020
16    - attack.t1537
17logsource:
18    product: github
19    service: audit
20    definition: 'Requirements: The audit log streaming feature must be enabled to be able to receive such logs. You can enable following the documentation here: https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-audit-log-streaming'
21detection:
22    selection:
23        action:
24            - 'migration.create' # A migration file was created for transferring data from a source location (such as a GitHub.com organization or a GitHub Enterprise Server instance) to a target GitHub Enterprise Server instance.
25            - 'org.transfer_outgoing' # An organization was transferred between enterprise accounts.
26            - 'org.transfer' # An organization was transferred between enterprise accounts.
27            - 'repo.transfer_outgoing' # A repository was transferred to another repository network.
28    condition: selection
29falsepositives:
30    - Allowed administrative activities.
31level: medium

References

Related rules

to-top