GitLab successive project or repository downloads

This rule is part of a beta feature. To learn more, contact Support.
gitlab

Classification:

attack

Tactic:

TA0010-exfiltration

Technique:

T1567-exfiltration-over-web-service

Set up the gitlab integration.

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Goal

Detects when a GitLab user downloads multiple projects or repositories within a short time period. Such activity may indicate a data exfiltration attempt.

Strategy

This rule monitors the project_export_file_download_started and repository_download_operation GitLab audit events. The detection groups events by user within a 5-minute evaluation window and triggers when a user exceeds the download thresholds.

Triage & Response

  • Verify if {{@usr.name}} has a legitimate business need to download multiple projects or repositories in rapid succession.
  • Examine the specific projects and repositories downloaded to determine their sensitivity and business value.
  • Review the user’s recent access patterns and authentication logs to identify any signs of account compromise.
  • Investigate whether the downloaded content was subsequently transferred outside the organization through other channels.