Github Repository/Organization Transferred

 1title: Github Repository/Organization Transferred
 2id: 04ad83ef-1a37-4c10-b57a-81092164bf33
 3status: test
 4description: Detects when a repository or an organization is being transferred to another location.
 5references:
 6    - https://docs.github.com/en/repositories/creating-and-managing-repositories/transferring-a-repository
 7    - https://docs.github.com/en/organizations/managing-organization-settings/transferring-organization-ownership
 8    - https://docs.github.com/en/migrations
 9    - https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#migration
10author: Romain Gaillard (@romain-gaillard)
11date: 2024-07-29
12tags:
13    - attack.persistence
14    - attack.exfiltration
15    - attack.t1020
16    - attack.t1537
17logsource:
18    product: github
19    service: audit
20    definition: 'Requirements: The audit log streaming feature must be enabled to be able to receive such logs. You can enable following the documentation here: https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-audit-log-streaming'
21detection:
22    selection:
23        action:
24            - 'migration.create' # A migration file was created for transferring data from a source location (such as a GitHub.com organization or a GitHub Enterprise Server instance) to a target GitHub Enterprise Server instance.
25            - 'org.transfer_outgoing' # An organization was transferred between enterprise accounts.
26            - 'org.transfer' # An organization was transferred between enterprise accounts.
27            - 'repo.transfer_outgoing' # A repository was transferred to another repository network.
28    condition: selection
29falsepositives:
30    - Allowed administrative activities.
31level: medium

References

• Transferring a repository - GitHub Docs

  

  You can transfer repositories to other users or organization accounts.

  
  Read More

• Transferring organization ownership - GitHub Docs

  

  To make someone else the owner of an organization account, you must add a new owner, ensure that the billing information is updated, and then remove yourself from the account.

  
  Read More

• Migrations documentation - GitHub Docs

  

  If you're moving to GitHub from another code hosting platform or moving between GitHub products, learn how to use our migration tooling to bring your work with you.

  
  Read More

• Audit log events for your enterprise - GitHub Enterprise Cloud Docs

  

  Review the events recorded in an enterprise's audit log.

  
  Read More

Related rules

• Github Fork Private Repositories Setting Enabled/Cleared
• Suspicious BlackCat-Related Exfiltration Command
• Suspicious SQL Query
• Modification or Deletion of an AWS RDS Cluster
• AWS EC2 VM Export Failure