Accounts uploading multiple code repositories to external web domains may indicate adversarial exfiltration of sensitive data, as such behavior could be used to stealthily transfer malicious or confidential code outside the organization. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential data exfiltration attempts and mitigate risk before data is compromised.
KQL Query
let filesThreshold = 10;
let lookback = 1d;
let sourceDomainList = pack_array("github", "visualstudio", "gitlab", "bitbucket", "osdn"); //code repo url's
let excludeTargetDomainList = pack_array("office.net","visualstudio","github","gitlab","azure","dynamics","teams","sharepoint"); //exclude list for the target domain
CloudAppEvents
| where Timestamp > ago(lookback)
| where ApplicationId == 11161
| where ActionType =~ "FileUploadedToCloud"
| project Timestamp, AccountObjectId, AccountDisplayName, extension = RawEventData.FileExtension, origin = RawEventData.OriginatingDomain, target = RawEventData.TargetDomain, file = RawEventData.ObjectId
| extend file = tostring(parse_path(tostring(file)).Filename)
| where extension =~ "zip" //filterting for zipped repos
| where origin has_any (sourceDomainList)
| where not(target has_any(excludeTargetDomainList))
| summarize uploadedFiles = dcount(file), files = make_set(file, 128) by AccountObjectId, AccountDisplayName
| where uploadedFiles > filesThreshold
id: 11b8daa5-fe15-4664-b332-8f26d3c0b3a7
name: Code Repo Exfiltration
description: |
Looks for accounts that uploaded multiple code repositories to external web domain.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- CloudAppEvents
tactics:
- Exfiltration
query: |
let filesThreshold = 10;
let lookback = 1d;
let sourceDomainList = pack_array("github", "visualstudio", "gitlab", "bitbucket", "osdn"); //code repo url's
let excludeTargetDomainList = pack_array("office.net","visualstudio","github","gitlab","azure","dynamics","teams","sharepoint"); //exclude list for the target domain
CloudAppEvents
| where Timestamp > ago(lookback)
| where ApplicationId == 11161
| where ActionType =~ "FileUploadedToCloud"
| project Timestamp, AccountObjectId, AccountDisplayName, extension = RawEventData.FileExtension, origin = RawEventData.OriginatingDomain, target = RawEventData.TargetDomain, file = RawEventData.ObjectId
| extend file = tostring(parse_path(tostring(file)).Filename)
| where extension =~ "zip" //filterting for zipped repos
| where origin has_any (sourceDomainList)
| where not(target has_any(excludeTargetDomainList))
| summarize uploadedFiles = dcount(file), files = make_set(file, 128) by AccountObjectId, AccountDisplayName
| where uploadedFiles > filesThreshold
| Sentinel Table | Notes |
|---|---|
CloudAppEvents | Ensure this data connector is enabled |
Scenario: Developer Pushes Code to Remote Git Repository
Description: A developer pushes code to a remote Git repository (e.g., GitHub, GitLab) as part of their normal development workflow.
Filter/Exclusion: Exclude activity involving known code hosting platforms (e.g., git.remote.url contains github.com, gitlab.com, or bitbucket.org).
Scenario: Scheduled CI/CD Pipeline Artifact Upload
Description: A CI/CD pipeline (e.g., Jenkins, GitHub Actions) uploads build artifacts to an external domain as part of the deployment process.
Filter/Exclusion: Exclude uploads to known CI/CD artifact storage locations (e.g., artifactory.example.com, s3.amazonaws.com for artifact storage).
Scenario: Admin Backs Up Code Repositories to Cloud Storage
Description: An admin performs a routine backup of code repositories to a cloud storage service (e.g., AWS S3, Azure Blob Storage).
Filter/Exclusion: Exclude uploads to cloud storage buckets used for backups (e.g., bucket-name-backups or backup-<env>.example.com).
Scenario: Code Repository Sync Between On-Prem and Cloud
Description: A sync job (e.g., using rsync, scp, or aws s3 sync) transfers code repositories between on-premises servers and cloud storage.
Filter/Exclusion: Exclude transfers between internal and cloud storage systems used for code sync (e.g., rsync to s3.amazonaws.com or scp to backup.example.com).
Scenario: DevOps Team Uploads Documentation to External Hosting
Description: A DevOps team uploads documentation or static assets (e.g., using rsync or scp) to an external documentation hosting service