GitHub SSH certificate authority deleted

github-telemetry

Classification:

attack

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Goal

Detect when a GitHub SSH certificate authority has been deleted.

Strategy

This rule monitors GitHub audit logs for when GitHub SSH certificate authority has been deleted. With an SSH certificate authority organization, an enterprise account can provide SSH certificates that members can use to access its resources with Git. Any deletions should be monitored and the change should be verified to ensure it is authorized.

Triage and response

  1. Determine if the change taken by {{@github.actor}} is authorized.
  2. If the change was not authorized or was unexpected, begin your organization’s incident response process and investigate.
PREVIEWING: esther/docs-9518-update-example-control-sensitive-log-data