GitHub user anomalously downloaded data as a ZIP file

This rule is part of a beta feature. To learn more, contact Support.
This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Goal

Detect and respond to unusual or unauthorized downloads of repository data in ZIP format by a GitHub user.

Strategy

This detection triggers when a user downloads repository data as a ZIP file under circumstances that are inconsistent with normal behavior, suggesting possible data exfiltration.

Triage & Response

  1. Identify the user and context of the download:
  • Review GitHub audit logs for the user involved in the ZIP file download.
  • Examine relevant fields such as:
    • @actor – Who performed the download.
    • @repository – Which repository’s data was downloaded.
    • @timestamp – When the download occurred.
  • Determine if this is consistent with the user’s regular role or access to the repository.
  1. Analyze for anomalies:
  • Verify the location and device used:
    • Is the @actor_location.country_code or @network.client.ip from an unusual or unexpected location?
    • Does the @http.useragent match the user’s typical device/browser?
  1. Check access history:
  • Review previous actions by the same user in the last 30-60 days. Have there been any prior similar downloads or other anomalies, such as increased access or changes in permissions?
  1. Repository sensitivity:
  • Assess the sensitivity or classification of the data within the repository. Does it contain proprietary, sensitive, or confidential information?
  1. Incident investigation:
  • Contact the user to verify if the download was legitimate. Use caution, as the account may be compromised. Ensure the communication method is secure.
  • If the download appears unauthorized or cannot be verified, temporarily restrict the user’s access to prevent further downloads or actions on GitHub. Instructions for managing access. Investigate further:
  • Review other actions taken by the user to look for additional suspicious behavior, such as pull requests, branch cloning, or large file downloads.
  • Check for potential compromise:
    • Look for signs of account takeover, such as changes to the user’s profile, email, or login credentials.
    • Review access logs for any unusual or failed login attempts prior to the ZIP download.
    • Cross-reference with other detections: Check if there are related security events, such as anomalous login alerts or unauthorized repository access.
  1. If unauthorized activity is confirmed:
  • Revoke user access to the repository and reset credentials or tokens used by the user.
  • Audit repository access to ensure no other unauthorized users or malicious activity is present.
  • Begin incident response plan for further actions.
PREVIEWING: rtrieu/product-analytics-ui-changes