--- title: GitHub user anomalously downloaded data as a ZIP file description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: >- Docs > Datadog Security > OOTB Rules > GitHub user anomalously downloaded data as a ZIP file --- # GitHub user anomalously downloaded data as a ZIP file {% alert level="danger" %} This rule is part of a beta feature. To learn more, [contact Support](https://docs.datadoghq.com/help/). {% /alert %} Classification:attackTactic:[TA0009-collection](https://attack.mitre.org/tactics/TA0009)Technique:[T1213-data-from-information-repositories](https://attack.mitre.org/techniques/T1213) ## Goal{% #goal %} Detect and respond to unusual or unauthorized downloads of repository data in ZIP format by a GitHub user. ## Strategy{% #strategy %} This detection triggers when a user downloads repository data as a ZIP file under circumstances that are inconsistent with normal behavior, suggesting possible data exfiltration. ## Triage & Response{% #triage--response %} 1. Identify the user and context of the download: - Review GitHub audit logs for the user involved in the ZIP file download. - Examine relevant fields such as: - - `@actor` – Who performed the download. - - `@repository` – Which repository's data was downloaded. - - `@timestamp` – When the download occurred. - Determine if this is consistent with the user's regular role or access to the repository. Analyze for anomalies: - Verify the location and device used: - - Is the `@actor_location.country_code` or `@network.client.ip` from an unusual or unexpected location? - - Does the `@http.useragent` match the user's typical device/browser? Check access history: - Review previous actions by the same user in the last 30-60 days. Have there been any prior similar downloads or other anomalies, such as increased access or changes in permissions? Repository sensitivity: - Assess the sensitivity or classification of the data within the repository. Does it contain proprietary, sensitive, or confidential information? Incident investigation: - Contact the user to verify if the download was legitimate. Use caution, as the account may be compromised. Ensure the communication method is secure. - If the download appears unauthorized or cannot be verified, temporarily restrict the user's access to prevent further downloads or actions on GitHub. Instructions for managing access. Investigate further: - Review other actions taken by the user to look for additional suspicious behavior, such as pull requests, branch cloning, or large file downloads. - Check for potential compromise: - - Look for signs of account takeover, such as changes to the user's profile, email, or login credentials. - - Review access logs for any unusual or failed login attempts prior to the ZIP download. - - Cross-reference with other detections: Check if there are related security events, such as anomalous login alerts or unauthorized repository access. If unauthorized activity is confirmed: - Revoke user access to the repository and reset credentials or tokens used by the user. - Audit repository access to ensure no other unauthorized users or malicious activity is present. - Begin incident response plan for further actions.