LoFP / archiving or unarchiving a repository is often legitimate. investigate this action to determine if it was authorized.

Techniques

Sample rules

GitHub Repository Archive Status Changed

• source: sigma
• technicques:

Description

Detects when a GitHub repository is archived or unarchived, which may indicate unauthorized changes to repository status.

Detection logic

condition: selection
selection:
  action:
  - repo.archived
  - repo.unarchived