GitLab successive project or repository downloads

This rule is part of a beta feature. To learn more, contact Support.
gitlab

Classification:

attack

Tactic:

TA0010-exfiltration

Technique:

T1567-exfiltration-over-web-service

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Goal

Detects when a GitLab user downloads multiple projects or repositories within a short time period. Such activity may indicate a data exfiltration attempt.

Strategy

This rule monitors the project_export_file_download_started and repository_download_operation GitLab audit events. The detection groups events by user within a 5-minute evaluation window and triggers when a user exceeds the download thresholds.

Triage & Response

  • Verify if {{@usr.name}} has a legitimate business need to download multiple projects or repositories in rapid succession.
  • Examine the specific projects and repositories downloaded to determine their sensitivity and business value.
  • Review the user’s recent access patterns and authentication logs to identify any signs of account compromise.
  • Investigate whether the downloaded content was subsequently transferred outside the organization through other channels.