GitHub mass deletion of repositories

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Goal

Detects mass deletion of GitHub repositories or organization deletion events that could indicate potentially malicious destructive activities.

Strategy

This rule monitors GitHub audit logs for organization deletion events through org.delete and repository destruction events through repo.destroy. The detection differentiates between user-initiated and bot-initiated repository deletions to provide appropriate severity levels.

Triage & Response

  • Examine the GitHub audit logs for {{@github.actor}} to identify the specific user that initiated the activity.
  • Verify if the user account associated with the deletion activity has legitimate administrative permissions and business justification for the destructive actions.
  • Review recent authentication patterns and access anomalies for the account to determine if it may have been compromised.
  • Check for any prior suspicious activities such as unusual data access, privilege escalation, or account modifications that could indicate compromise.