GitHub mass deletion of repositories
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、
お気軽にご連絡ください。
Goal
Detects mass deletion of GitHub repositories or organization deletion events that could indicate potentially malicious destructive activities.
Strategy
This rule monitors GitHub audit logs for organization deletion events through org.delete and repository destruction events through repo.destroy. The detection differentiates between user-initiated and bot-initiated repository deletions to provide appropriate severity levels.
Triage & Response
- Examine the GitHub audit logs for
{{@github.actor}} to identify the specific user that initiated the activity. - Verify if the user account associated with the deletion activity has legitimate administrative permissions and business justification for the destructive actions.
- Review recent authentication patterns and access anomalies for the account to determine if it may have been compromised.
- Check for any prior suspicious activities such as unusual data access, privilege escalation, or account modifications that could indicate compromise.
