← Back to Explore
splunk_escuAnomaly
GitHub Enterprise Remove Organization
The following analytic detects when a user removes an organization from GitHub Enterprise. The detection monitors GitHub Enterprise audit logs for organization deletion events, which could indicate unauthorized removal of critical business resources. For a SOC, identifying organization removals is crucial as it may signal account compromise, insider threats, or malicious attempts to disrupt business operations by deleting entire organizational structures. The impact could be severe, potentially resulting in loss of source code, repositories, team structures, access controls, and other critical organizational assets. This disruption could halt development workflows, cause data loss, and require significant effort to restore from backups if available. Additionally, unauthorized organization removal could be part of a larger attack campaign aimed at destroying or compromising enterprise assets.
Detection Query
`github_enterprise` action=business.remove_organization
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime
BY actor, actor_id, actor_is_bot,
actor_location.country_code, business, business_id,
org, org_id, user_agent,
action
| eval user=actor
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `github_enterprise_remove_organization_filter`Author
Patrick Bareiss, Splunk
Data Sources
GitHub Enterprise Audit Logs
References
- https://www.googlecloudcommunity.com/gc/Community-Blog/Monitoring-for-Suspicious-GitHub-Activity-with-Google-Security/ba-p/763610
- https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-streaming-to-splunk
Raw Content
name: GitHub Enterprise Remove Organization
id: 94cb89aa-aec1-4585-91b1-affcdacf357e
version: 7
creation_date: '2025-01-15'
modification_date: '2026-05-13'
author: Patrick Bareiss, Splunk
status: production
type: Anomaly
description: The following analytic detects when a user removes an organization from GitHub Enterprise. The detection monitors GitHub Enterprise audit logs for organization deletion events, which could indicate unauthorized removal of critical business resources. For a SOC, identifying organization removals is crucial as it may signal account compromise, insider threats, or malicious attempts to disrupt business operations by deleting entire organizational structures. The impact could be severe, potentially resulting in loss of source code, repositories, team structures, access controls, and other critical organizational assets. This disruption could halt development workflows, cause data loss, and require significant effort to restore from backups if available. Additionally, unauthorized organization removal could be part of a larger attack campaign aimed at destroying or compromising enterprise assets.
data_source:
- GitHub Enterprise Audit Logs
search: |-
`github_enterprise` action=business.remove_organization
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime
BY actor, actor_id, actor_is_bot,
actor_location.country_code, business, business_id,
org, org_id, user_agent,
action
| eval user=actor
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `github_enterprise_remove_organization_filter`
how_to_implement: You must ingest GitHub Enterprise logs using Audit log streaming as described in this documentation https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-streaming-to-splunk using a Splunk HTTP Event Collector.
known_false_positives: No false positives have been identified at this time.
references:
- https://www.googlecloudcommunity.com/gc/Community-Blog/Monitoring-for-Suspicious-GitHub-Activity-with-Google-Security/ba-p/763610
- https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-streaming-to-splunk
drilldown_searches:
- name: View the detection results for - "$user$"
search: '%original_detection_search% | search user = "$user$"'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
earliest_offset: 7d
latest_offset: "0"
intermediate_findings:
entities:
- field: user
type: user
score: 20
message: $user$ removed an organization from GitHub Enterprise
threat_objects:
- field: user_agent
type: http_user_agent
analytic_story:
- GitHub Malicious Activity
asset_type: GitHub
mitre_attack_id:
- T1485
- T1195
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
category: cloud
security_domain: network
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/github_remove_organization/github.json
source: http:github
sourcetype: httpevent
test_type: unit