Anomalous or bulk download activity from private or restricted repositories by non-developer or privileged accounts, often preceded by unusual login behavior (e.g., unfamiliar geo, OAuth token use, elevated API rate).
| Data Component | Name | Channel |
|---|---|---|
| Cloud Service Metadata (DC0070) | saas:github | repo.download, repo.clone, oauth.authorize, repo.getContent |
| Logon Session Creation (DC0067) | saas:github | Login from unusual IP, device fingerprint, or location; access token creation from new client |
| Application Log Content (DC0038) | saas:github | Bulk access to multiple files or large volume of repo requests within short time window |
| Field | Description |
|---|---|
| TimeWindow | Threshold for file access volume over short duration (e.g., 10+ repos accessed in <5 min) |
| UserContext | Role or permission profile expected to interact with repositories (e.g., developers vs. admins) |
| GeoAnomalyThreshold | Distance or variance allowed before a login is flagged as anomalous |
| RepoSensitivityTag | Whether a repository is labeled sensitive or restricted |