Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/tailpipe-mod-github-security-log-detections
Overview
3Dashboards
14Benchmarks
20Queries
1Variables
GitHub

Detection: SSH Key Deleted

Overview

Detect when an SSH key is deleted from a GitHub account. While this may be part of normal key rotation or credential cleanup, attackers may delete trusted SSH keys to disrupt legitimate developer access or to evade detection by removing evidence of unauthorized credentials. Monitoring these events helps maintain visibility into credential changes and detect potential attempts at defense evasion.

References:

Usage

Run the detection in your terminal:

powerpipe detection run github_security_log_detections.detection.ssh_key_deleted

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe detection run github_security_log_detections.detection.ssh_key_deleted --share

SQL

This detection uses a named query:

select
  tp_timestamp as timestamp,
action as operation,
fingerprint as resource,
actor,
tp_source_ip as source_ip,
tp_id as source_id,
*
exclude (actor, timestamp)


from
  github_security_log
where
  action = 'public_key.delete'
order by
  tp_timestamp desc;

Tags

category = Detections
folder = SSH Key
mitre_attack_ids = TA0005:T1098
plugin = github
service = GitHub/SSH Key