GitHub audit log stream destroyed or paused
Description
AlphaSOC detected modification of a GitHub audit log stream configuration. Audit log streams forward security events to external SIEM systems or log management platforms for monitoring and analysis. Threat actors may modify or disable these streams to prevent their malicious activities from being detected and investigated by security teams.
Impact
Modification of audit log streams can hinder detection of malicious activity within the GitHub organization. This could allow adversaries to perform unauthorized actions such as code theft, secret exposure, or modifications to repositories without triggering security alerts.
Severity
| Severity | Condition |
|---|---|
Low | GitHub audit log stream modified |
Medium | GitHub audit log stream destroyed or paused |
Investigation and Remediation
Review GitHub audit logs and verify whether the audit log stream modification was authorized. If unauthorized, identify the user who made the change, reset their credentials, and restore the original audit log stream configuration.