GitLab successive project or repository downloads

This rule is part of a beta feature. To learn more, contact Support.
gitlab

Classification:

attack

Tactic:

TA0010-exfiltration

Technique:

T1567-exfiltration-over-web-service

Set up the gitlab integration.

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください

Goal

Detects when a GitLab user downloads multiple projects or repositories within a short time period. Such activity may indicate a data exfiltration attempt.

Strategy

This rule monitors the project_export_file_download_started and repository_download_operation GitLab audit events. The detection groups events by user within a 5-minute evaluation window and triggers when a user exceeds the download thresholds.

Triage & Response

  • Verify if {{@usr.name}} has a legitimate business need to download multiple projects or repositories in rapid succession.
  • Examine the specific projects and repositories downloaded to determine their sensitivity and business value.
  • Review the user’s recent access patterns and authentication logs to identify any signs of account compromise.
  • Investigate whether the downloaded content was subsequently transferred outside the organization through other channels.