Azure-Sentinel/Hunting Queries/GitHub/Unusual Number of Repository Clones.yaml

id: ccef3c74-4b4f-445b-8109-06d38687e4a4
name: GitHub Repo Clone - Time Series Anomly
description: |
  'Attacker can exfiltrate data from you GitHub repository after gaining access to it by performing clone action. This hunting queries allows you to track the clones activities for each of your repositories. The visualization allow you to quickly identify anomalies/excessive clone, to further investigate repo access & permissions'  
requiredDataConnectors: []
tactics:
  - Collection
relevantTechniques:
  - T1213
query: |

  let min_t = toscalar(GitHubRepo
  | summarize min(timestamp_t));
  let max_t = toscalar(GitHubRepo
  | summarize max(timestamp_t));
  GitHubRepo
  | where Action == "Clones"
  | distinct TimeGenerated, Repository, Count
  | make-series num=sum(tolong(Count)) default=0 on TimeGenerated in range(min_t, max_t, 1h) by Repository 
  | extend (anomalies, score, baseline) = series_decompose_anomalies(num, 1.5, -1, 'linefit')
  | render timechart