Processes such as PowerShell, Git, or curl initiating outbound HTTPS POST requests to known code repository APIs (e.g., github.com, gitlab.com) immediately following large file reads. Defender view: correlation between file access of sensitive directories (e.g., Documents, Finance) and abnormal data uploads to repository domains.
| Data Component | Name | Channel |
|---|---|---|
| File Access (DC0055) | WinEventLog:Security | EventCode=4663 |
| Network Connection Creation (DC0082) | WinEventLog:Sysmon | EventCode=3 |
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| Field | Description |
|---|---|
| MonitoredDomains | List of external code repository domains to monitor (github.com, gitlab.com, bitbucket.org). |
| ExfilVolumeThreshold | Threshold for outbound data volume per session to flag suspicious uploads. |
Processes like git, curl, or python scripts executing commands that package files (tar, gzip) followed by HTTPS uploads to code repository endpoints. Defender view: detect unusual git push activity or scripted HTTPS requests outside normal developer work hours.
| Data Component | Name | Channel |
|---|---|---|
| Command Execution (DC0064) | auditd:EXECVE | git push, curl -X POST |
| File Access (DC0055) | auditd:SYSCALL | open/read of sensitive directories |
| Network Traffic Flow (DC0078) | NSM:Flow | large outbound HTTPS uploads to repo domains |
| Field | Description |
|---|---|
| WorkHours | Baseline normal developer activity periods to reduce false positives. |
| RepoDomainList | Known allowed internal or external repository domains. |
Office or scripting applications initiating unusual HTTPS traffic to code repository APIs with high outbound-to-inbound ratios. Defender perspective: monitor for sensitive file access in combination with network connections to github.com, gitlab.com, or bitbucket.org.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | macos:unifiedlog | execution of curl, git, or Office processes with network connections |
| File Access (DC0055) | macos:unifiedlog | read of user document directories |
| Network Traffic Content (DC0085) | macos:unifiedlog | outbound HTTPS connections to code repository APIs |
| Field | Description |
|---|---|
| MonitoredApplications | Applications not expected to upload large data sets to repos (Word, Excel, Preview). |
ESXi host processes (vmx, hostd) initiating HTTPS sessions toward external code repositories. Defender perspective: detect datastore reads followed by outbound web traffic inconsistent with administrative baselines.
| Data Component | Name | Channel |
|---|---|---|
| File Access (DC0055) | esxi:hostd | datastore file access |
| Network Traffic Flow (DC0078) | esxi:vmkernel | HTTPS traffic to repository domains |
| Field | Description |
|---|---|
| DatastoreTransferThreshold | Amount of data moved from datastore to external services before raising alert. |