GitHub SSH certificate authority deleted

github-telemetry

Classification:

attack

Goal

Detect when a GitHub SSH certificate authority has been deleted.

Strategy

This rule monitors GitHub audit logs for when GitHub SSH certificate authority has been deleted. With an SSH certificate authority organization, an enterprise account can provide SSH certificates that members can use to access its resources with Git. Any deletions should be monitored and the change should be verified to ensure it is authorized.

Triage and response

  1. Determine if the change taken by {{@github.actor}} is authorized.
  2. If the change was not authorized or was unexpected, begin your organization’s incident response process and investigate.