{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/audit/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Github"],"_cs_severities":["medium"],"_cs_tags":["github","audit","data-loss","impact"],"_cs_type":"advisory","_cs_vendors":["Github"],"content_html":"\u003cp\u003eThis detection strategy focuses on identifying potentially malicious or unauthorized deletion activities within a GitHub organization. The detections hinge on monitoring GitHub audit logs for specific actions related to the deletion of critical resources. This includes actions such as deleting codespaces (\u003ccode\u003ecodespaces.destroy\u003c/code\u003e), deleting environments (\u003ccode\u003eenvironment.delete\u003c/code\u003e), deleting projects (\u003ccode\u003eproject.delete\u003c/code\u003e), and destroying repositories (\u003ccode\u003erepo.destroy\u003c/code\u003e). This activity is important for defenders because these actions can lead to data loss, service disruption, or compromise of the software development lifecycle. The detections are triggered by events recorded within the GitHub audit log, requiring audit log streaming to be enabled.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e An attacker gains unauthorized access to a GitHub account with sufficient privileges. This could be achieved through compromised credentials or insider access.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation (Optional):\u003c/strong\u003e The attacker escalates privileges within the GitHub organization to gain the necessary permissions to delete resources if they don\u0026rsquo;t already have them.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eReconnaissance:\u003c/strong\u003e The attacker identifies valuable codespaces, environments, projects, or repositories within the GitHub organization that they intend to delete.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDeletion of Codespaces:\u003c/strong\u003e The attacker executes the \u003ccode\u003ecodespaces.destroy\u003c/code\u003e action, deleting a specific codespace instance, potentially disrupting development workflows.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDeletion of Environments:\u003c/strong\u003e The attacker executes the \u003ccode\u003eenvironment.delete\u003c/code\u003e action, removing a specific environment configuration, potentially affecting deployment processes.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDeletion of Projects:\u003c/strong\u003e The attacker executes the \u003ccode\u003eproject.delete\u003c/code\u003e action, deleting a project board and its associated tasks, impacting project management.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDeletion of Repositories:\u003c/strong\u003e The attacker executes the \u003ccode\u003erepo.destroy\u003c/code\u003e action, permanently deleting a repository, leading to code loss and potential service disruption.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpact:\u003c/strong\u003e The deletion of critical resources disrupts development workflows, causes data loss, and potentially compromises the software development lifecycle.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful execution of these actions can lead to significant disruption of software development workflows, data loss, and potential compromise of the software supply chain. The number of affected resources and the severity of the impact depend on the scope of the attacker\u0026rsquo;s access and the criticality of the deleted resources.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable GitHub audit log streaming to capture the necessary events for detection (reference: logsource definition).\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to detect \u003ccode\u003ecodespaces.destroy\u003c/code\u003e, \u003ccode\u003eenvironment.delete\u003c/code\u003e, \u003ccode\u003eproject.delete\u003c/code\u003e, and \u003ccode\u003erepo.destroy\u003c/code\u003e actions in the GitHub audit logs, and tune for your environment (reference: rules).\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts triggered by the Sigma rule to determine the legitimacy of the deletion activity and the actor involved (reference: rules, falsepositives).\u003c/li\u003e\n\u003cli\u003eValidate the \u0026ldquo;actor\u0026rdquo; field in the audit logs to ensure the deletion activity is performed by an authorized user (reference: falsepositives).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-28T10:00:00Z","date_published":"2026-04-28T10:00:00Z","id":"/briefs/2026-04-github-delete-action/","summary":"This brief focuses on detecting deletion actions within GitHub audit logs, specifically targeting the deletion of codespaces, environments, projects, and repositories, potentially indicating malicious activity or insider threats.","title":"Detection of Github Delete Actions in Audit Logs","url":"https://feed.craftedsignal.io/briefs/2026-04-github-delete-action/"}],"language":"en","title":"CraftedSignal Threat Feed — Audit","version":"https://jsonfeed.org/version/1.1"}