
Summary
This analytic rule aims to detect the deletion of repositories in GitHub Enterprise by monitoring GitHub Enterprise audit logs for repository deletion events. The primary concern is that such activity may signify unauthorized actions that can lead to the loss of critical source code and project resources. Deletion of repositories can have severe implications, including loss of intellectual property, interruption of development operations, and potential insider threats or account compromises. For an organization's security operations center (SOC), it is essential to identify any unauthorized deletions promptly as they could indicate malicious activities or the need for immediate incident response to prevent permanent data loss. The rule aggregates relevant audit logs, counting occurrences of deletions while capturing contextual details about the actor responsible for the action, enhancing the visibility and flexibility of the security alerting process. It provides a way to track suspicious activities associated with GitHub usage, allowing organizations to implement timely corrective measures if needed.
Categories
- Cloud
- Application
- Identity Management
Data Sources
- Web Credential
ATT&CK Techniques
- T1485
- T1195
Created: 2025-01-16