Detectionmediumtest
Github Repository/Organization Transferred
Detects when a repository or an organization is being transferred to another location.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Log Source
githubaudit
Productgithub← raw: github
Serviceaudit← raw: audit
Definition
Requirements: The audit log streaming feature must be enabled to be able to receive such logs. You can enable following the documentation here: https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-audit-log-streaming
Detection Logic
Detection Logic1 selector
detection:
selection:
action:
- 'migration.create' # A migration file was created for transferring data from a source location (such as a GitHub.com organization or a GitHub Enterprise Server instance) to a target GitHub Enterprise Server instance.
- 'org.transfer_outgoing' # An organization was transferred between enterprise accounts.
- 'org.transfer' # An organization was transferred between enterprise accounts.
- 'repo.transfer_outgoing' # A repository was transferred to another repository network.
condition: selectionFalse Positives
Allowed administrative activities.
MITRE ATT&CK
Rule Metadata
Rule ID
04ad83ef-1a37-4c10-b57a-81092164bf33
Status
test
Level
medium
Type
Detection
Created
Mon Jul 29
Author
Path
rules/application/github/audit/github_repo_or_org_transferred.yml
Raw Tags
attack.persistenceattack.exfiltrationattack.t1020attack.t1537