GitHub user anomalously downloaded data as a ZIP file

This rule is part of a beta feature. To learn more, contact Support.

Goal

Detect and respond to unusual or unauthorized downloads of repository data in ZIP format by a GitHub user.

Strategy

This detection triggers when a user downloads repository data as a ZIP file under circumstances that are inconsistent with normal behavior, suggesting possible data exfiltration.

Triage & Response

  1. Identify the user and context of the download:
  • Review GitHub audit logs for the user involved in the ZIP file download.
  • Examine relevant fields such as:
    • @actor – Who performed the download.
    • @repository – Which repository’s data was downloaded.
    • @timestamp – When the download occurred.
  • Determine if this is consistent with the user’s regular role or access to the repository.
  1. Analyze for anomalies:
  • Verify the location and device used:
    • Is the @actor_location.country_code or @network.client.ip from an unusual or unexpected location?
    • Does the @http.useragent match the user’s typical device/browser?
  1. Check access history:
  • Review previous actions by the same user in the last 30-60 days. Have there been any prior similar downloads or other anomalies, such as increased access or changes in permissions?
  1. Repository sensitivity:
  • Assess the sensitivity or classification of the data within the repository. Does it contain proprietary, sensitive, or confidential information?
  1. Incident investigation:
  • Contact the user to verify if the download was legitimate. Use caution, as the account may be compromised. Ensure the communication method is secure.
  • If the download appears unauthorized or cannot be verified, temporarily restrict the user’s access to prevent further downloads or actions on GitHub. Instructions for managing access. Investigate further:
  • Review other actions taken by the user to look for additional suspicious behavior, such as pull requests, branch cloning, or large file downloads.
  • Check for potential compromise:
    • Look for signs of account takeover, such as changes to the user’s profile, email, or login credentials.
    • Review access logs for any unusual or failed login attempts prior to the ZIP download.
    • Cross-reference with other detections: Check if there are related security events, such as anomalous login alerts or unauthorized repository access.
  1. If unauthorized activity is confirmed:
  • Revoke user access to the repository and reset credentials or tokens used by the user.
  • Audit repository access to ensure no other unauthorized users or malicious activity is present.
  • Begin incident response plan for further actions.