Name:GitHub Organizations Repository Deleted id:9ff4ca95-fdae-4eea-9ffa-6d8e1c202a71 version:1 date:2025-01-17 author:Patrick Bareiss, Splunk status:production type:Anomaly Description:The following analytic identifies when a repository is deleted within a GitHub organization. The detection monitors GitHub Organizations audit logs for repository deletion events by tracking actor details, repository information, and associated metadata. This behavior is concerning for SOC teams as malicious actors may attempt to delete repositories to destroy source code, intellectual property, or evidence of compromise. Repository deletion can result in permanent loss of code, documentation, and project history if proper backups are not maintained. Additionally, unauthorized repository deletion could indicate account compromise, insider threats, or attempts to disrupt business operations. The impact of a repository deletion attack includes loss of intellectual property, disruption to development workflows, and potential financial losses from lost work. Early detection of unauthorized repository deletions allows security teams to investigate potential compromises and restore from backups if needed. Data_source:
how_to_implement:You must ingest GitHub Organizations logs using Splunk Add-on for Github using a Personal Access Token https://docs.splunk.com/Documentation/AddOns/released/GitHub/Configureinputs . known_false_positives:unknown References: -https://docs.splunk.com/Documentation/AddOns/released/GitHub/Configureinputs -https://www.googlecloudcommunity.com/gc/Community-Blog/Monitoring-for-Suspicious-GitHub-Activity-with-Google-Security/ba-p/763610 drilldown_searches: name:'View the detection results for - "$user$"' search:'%original_detection_search% | search user = "$user$"' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' name:'View risk events for the last 7 days for - "$user$"' search:'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' tags: analytic_story: - 'GitHub Malicious Activity' asset_type:GitHub mitre_attack_id: - 'T1485' - 'T1195' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' security_domain:network
