EXPLORE
Sign In
← Back to Explore
splunk_escuAnomaly

GitHub Enterprise Delete Branch Ruleset

The following analytic detects when branch rules are deleted in GitHub Enterprise. The detection monitors GitHub Enterprise audit logs for branch rule deletion events by tracking actor details, repository information, and associated metadata. For a SOC, identifying deleted branch rules is critical as it could indicate attempts to bypass code review requirements and security controls. Branch deletion rules are essential security controls that enforce code review, prevent force pushes, and maintain code quality. Disabling these protections could allow malicious actors to directly push unauthorized code changes or backdoors to protected branches. The impact of disabled branch protection includes potential code tampering, bypass of security reviews, introduction of vulnerabilities or malicious code, and compromise of software supply chain integrity. This activity could be part of a larger attack chain where an adversary first disables security controls before attempting to inject malicious code.

MITRE ATT&CK

T1562.001T1195

Detection Query

`github_enterprise` action=repository_ruleset.destroy
  | fillnull
  | stats count min(_time) as firstTime max(_time) as lastTime
    BY actor, actor_id, actor_ip,
       actor_is_bot, actor_location.country_code, business,
       business_id, org, org_id,
       repo, repo_id, user_agent,
       action, ruleset_name
  | eval user=actor
  | `security_content_ctime(firstTime)`
  | `security_content_ctime(lastTime)`
  | `github_enterprise_delete_branch_ruleset_filter`

Author

Patrick Bareiss, Splunk

Created

2026-03-10

Data Sources

GitHub Enterprise Audit Logs

References

Tags

GitHub Malicious ActivityNPM Supply Chain Compromise
Raw Content
name: GitHub Enterprise Delete Branch Ruleset
id: 6169ea23-3719-439f-957a-0ea5174b70e2
version: 6
date: '2026-03-10'
author: Patrick Bareiss, Splunk
status: production
type: Anomaly
description: The following analytic detects when branch rules are deleted in GitHub Enterprise. The detection monitors GitHub Enterprise audit logs for branch rule deletion events by tracking actor details, repository information, and associated metadata. For a SOC, identifying deleted branch rules is critical as it could indicate attempts to bypass code review requirements and security controls. Branch deletion rules are essential security controls that enforce code review, prevent force pushes, and maintain code quality. Disabling these protections could allow malicious actors to directly push unauthorized code changes or backdoors to protected branches. The impact of disabled branch protection includes potential code tampering, bypass of security reviews, introduction of vulnerabilities or malicious code, and compromise of software supply chain integrity. This activity could be part of a larger attack chain where an adversary first disables security controls before attempting to inject malicious code.
data_source:
    - GitHub Enterprise Audit Logs
search: |-
    `github_enterprise` action=repository_ruleset.destroy
      | fillnull
      | stats count min(_time) as firstTime max(_time) as lastTime
        BY actor, actor_id, actor_ip,
           actor_is_bot, actor_location.country_code, business,
           business_id, org, org_id,
           repo, repo_id, user_agent,
           action, ruleset_name
      | eval user=actor
      | `security_content_ctime(firstTime)`
      | `security_content_ctime(lastTime)`
      | `github_enterprise_delete_branch_ruleset_filter`
how_to_implement: You must ingest GitHub Enterprise logs using Audit log streaming as described in this documentation https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-streaming-to-splunk using a Splunk HTTP Event Collector.
known_false_positives: No false positives have been identified at this time.
references:
    - https://www.googlecloudcommunity.com/gc/Community-Blog/Monitoring-for-Suspicious-GitHub-Activity-with-Google-Security/ba-p/763610
    - https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-streaming-to-splunk
drilldown_searches:
    - name: View the detection results for - "$user$"
      search: '%original_detection_search% | search  user = "$user$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$user$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
rba:
    message: $user$ deleted a branch ruleset in repo $repo$
    risk_objects:
        - field: user
          type: user
          score: 20
    threat_objects:
        - field: user_agent
          type: http_user_agent
tags:
    analytic_story:
        - GitHub Malicious Activity
        - NPM Supply Chain Compromise
    asset_type: GitHub
    mitre_attack_id:
        - T1562.001
        - T1195
    product:
        - Splunk Enterprise
        - Splunk Enterprise Security
        - Splunk Cloud
    security_domain: network
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/github_delete_branch_ruleset/github.json
          source: http:github
          sourcetype: httpevent