Detectionlowexperimental

GitHub Repository Archive Status Changed

Detects when a GitHub repository is archived or unarchived, which may indicate unauthorized changes to repository status.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Ivan SaakovCreated Sat Oct 18dca8991c-cb16-4128-abf8-6b11e5cd156fapplication

Log Source

githubaudit

Productgithub← raw: github

Serviceaudit← raw: audit

Detection Logic

detection:
    selection:
        action:
            - 'repo.archived'
            - 'repo.unarchived'
    condition: selection

False Positives

Archiving or unarchiving a repository is often legitimate. Investigate this action to determine if it was authorized.

References

MITRE ATT&CK

Tactics

Rule Metadata

Rule ID

dca8991c-cb16-4128-abf8-6b11e5cd156f

Status

experimental

Level

low

Type

Detection

Created

Sat Oct 18

Author

Path

rules/application/github/audit/github_repository_archive_status_changed.yml

Raw Tags

attack.persistenceattack.defense-evasionattack.impact