Classification:

attack

Tactic:

TA0010-exfiltration

Technique:

T1567-exfiltration-over-web-service

VIEW RULE IN DATADOG VIEW SIGNALS

Set up the gitlab integration.

Goal

Detects when a GitLab user downloads multiple projects or repositories within a short time period. Such activity may indicate a data exfiltration attempt.

Strategy

This rule monitors the project_export_file_download_started and repository_download_operation GitLab audit events. The detection groups events by user within a 5-minute evaluation window and triggers when a user exceeds the download thresholds.

Triage & Response

• Verify if {{@usr.name}} has a legitimate business need to download multiple projects or repositories in rapid succession.
• Examine the specific projects and repositories downloaded to determine their sensitivity and business value.
• Review the user’s recent access patterns and authentication logs to identify any signs of account compromise.
• Investigate whether the downloaded content was subsequently transferred outside the organization through other channels.