For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/default_rules/def-000-eg5.md. A documentation index is available at /llms.txt.

GitHub SSH certificate authority deleted

github-telemetry

Classification:

attack

Tactic:

TA0005-defense-evasion

Technique:

T1562-impair-defenses

Goal

Detect when a GitHub SSH certificate authority has been deleted.

Strategy

This rule monitors GitHub audit logs for when GitHub SSH certificate authority has been deleted. With an SSH certificate authority organization, an enterprise account can provide SSH certificates that members can use to access its resources with Git. Any deletions should be monitored and the change should be verified to ensure it is authorized.

Triage and response

  1. Determine if the change taken by {{@github.actor}} is authorized.
  2. If the change was not authorized or was unexpected, begin your organization’s incident response process and investigate.