The rule titled "High Number of Cloned GitHub Repos From PAT" is designed to detect potentially malicious activity related to the cloning of private GitHub repositories using Personal Access Tokens (PATs). This rule tracks events over the last six months, monitoring GitHub audit logs for a significant increase in the number of unique private repository clone events initiated by a single PAT. The detection logic employs a threshold-based approach, focusing on scenarios where a personal access token associated with unauthorized cloning patterns is identified. The rule assigns a low risk score of 21, indicative of potential misuse of tokens rather than an active attack. False positives may occur due to legitimate automated processes, developer activities, or scheduled maintenance that involve multiple repository clones. The investigation process involves analyzing the token's usage and the associated account while recommending revocation of compromised tokens to prevent data exfiltration. The guideline provides a structured triage and remediation path, emphasizing the importance of maintaining robust security practices around PATs. The rule aligns with the MITRE ATT&CK framework under the Execution tactic, specifically referencing the Serverless Execution technique.