Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. GitLab - User Impersonation

GitLab - User Impersonation

Back
Id0f4f16a2-b464-4c10-9a42-993da3e15a40
RulenameGitLab - User Impersonation
DescriptionThis queries GitLab Audit Logs for user impersonation. A malicious operator or a compromised admin account could leverage the impersonation feature of GitLab to change code or repository settings bypassing usual processes. This hunting queries allows you to track the audit actions done under impersonation.
SeverityMedium
TacticsPersistence
TechniquesT1078
Required data connectorsSyslogAma
KindScheduled
Query frequency1h
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GitLab/Analytic Rules/GitLab_Impersonation.yaml
Version1.0.2
Arm template0f4f16a2-b464-4c10-9a42-993da3e15a40.json
Deploy To Azure
let impersonationStart = (GitLabAudit
| where CustomMessage == 'Started Impersonation');
let impersonationStop = (GitLabAudit
| where CustomMessage == 'Stopped Impersonation');
impersonationStart
| join kind=inner impersonationStop on $left.TargetID == $right.TargetID and $left.AuthorID == $right.AuthorID 
| where EventTime1 > EventTime
| extend TimeGenerated, AuthorID, AuthorName, TargetID, TargetDetails = TargetDetails, IPStart = IPAddress, IPStop = IPAddress1, ImpStartTime = EventTime, ImpStopTime = EventTime1, EntityName
| join kind=inner (GitLabAudit | extend ActionTime = EventTime, AuthorName) on $left.TargetDetails == $right.AuthorName 
| where ImpStartTime < ActionTime and ActionTime > ImpStopTime

triggerOperator: gt
tactics:
- Persistence
triggerThreshold: 0
kind: Scheduled
description: |
    'This queries GitLab Audit Logs for user impersonation. A malicious operator or a compromised admin account could leverage the impersonation feature of GitLab to change code or repository settings bypassing usual processes. This hunting queries allows you to track the audit actions done under impersonation.'
severity: Medium
id: 0f4f16a2-b464-4c10-9a42-993da3e15a40
requiredDataConnectors:
- connectorId: SyslogAma
  dataTypes:
  - Syslog
query: |
  let impersonationStart = (GitLabAudit
  | where CustomMessage == 'Started Impersonation');
  let impersonationStop = (GitLabAudit
  | where CustomMessage == 'Stopped Impersonation');
  impersonationStart
  | join kind=inner impersonationStop on $left.TargetID == $right.TargetID and $left.AuthorID == $right.AuthorID 
  | where EventTime1 > EventTime
  | extend TimeGenerated, AuthorID, AuthorName, TargetID, TargetDetails = TargetDetails, IPStart = IPAddress, IPStop = IPAddress1, ImpStartTime = EventTime, ImpStopTime = EventTime1, EntityName
  | join kind=inner (GitLabAudit | extend ActionTime = EventTime, AuthorName) on $left.TargetDetails == $right.AuthorName 
  | where ImpStartTime < ActionTime and ActionTime > ImpStopTime  
version: 1.0.2
status: Available
entityMappings:
- entityType: IP
  fieldMappings:
  - columnName: IPStart
    identifier: Address
- entityType: IP
  fieldMappings:
  - columnName: IPStop
    identifier: Address
- entityType: Account
  fieldMappings:
  - columnName: EntityName
    identifier: FullName
- entityType: Account
  fieldMappings:
  - columnName: TargetDetails
    identifier: FullName
name: GitLab - User Impersonation
queryPeriod: 1d
queryFrequency: 1h
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GitLab/Analytic Rules/GitLab_Impersonation.yaml
relevantTechniques:
- T1078