Summary
This detection rule monitors GitHub Enterprise audit logs to identify events where an organization is removed by a user. Such an event may suggest unauthorized activities, including account compromise or malicious insider behavior, potentially resulting in significant operational disruptions. The ability to detect organization deletion is vital for security operations, as it may be indicative of broader attack campaigns aimed at disabling enterprise structures. If an organization is deleted, critical assets such as source code, repository structures, and access controls may be lost, resulting in halting development processes and necessitating costly recovery efforts. The rule harnesses specific GitHub Enterprise logs to facilitate detection and alerts operational teams to take appropriate action.
Categories
- Cloud
- Application
Data Sources
- Web Credential
- Application Log
ATT&CK Techniques
- T1485
- T1195
Created: 2025-01-16