GitHub SSH certificate authority deleted

github-telemetry

Classification:

attack

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。

Goal

Detect when a GitHub SSH certificate authority has been deleted.

Strategy

This rule monitors GitHub audit logs for when GitHub SSH certificate authority has been deleted. With an SSH certificate authority organization, an enterprise account can provide SSH certificates that members can use to access its resources with Git. Any deletions should be monitored and the change should be verified to ensure it is authorized.

Triage and response

  1. Determine if the change taken by {{@github.actor}} is authorized.
  2. If the change was not authorized or was unexpected, begin your organization’s incident response process and investigate.