Skip to main content

GitHub audit log stream destroyed or paused

ID:github_audit_log_stream_disabled
Data type:GitHub
Severity:
Low
-
Medium
MITRE ATT&CK:TA0005:T1562.001

Description

AlphaSOC detected modification of a GitHub audit log stream configuration. Audit log streams forward security events to external SIEM systems or log management platforms for monitoring and analysis. Threat actors may modify or disable these streams to prevent their malicious activities from being detected and investigated by security teams.

Impact

Modification of audit log streams can hinder detection of malicious activity within the GitHub organization. This could allow adversaries to perform unauthorized actions such as code theft, secret exposure, or modifications to repositories without triggering security alerts.

Severity

SeverityCondition
Low
GitHub audit log stream modified
Medium
GitHub audit log stream destroyed or paused

Investigation and Remediation

Review GitHub audit logs and verify whether the audit log stream modification was authorized. If unauthorized, identify the user who made the change, reset their credentials, and restore the original audit log stream configuration.