let isAdmin = true;
GitLabAudit
| where AuthenticationType == "standard" and ((isAdmin and TargetDetails contains "Administrator") or (isAdmin==false));
id: e0b45487-5c79-482d-8ac0-695de8c031af
requiredDataConnectors:
- dataTypes:
- Syslog
connectorId: SyslogAma
triggerThreshold: 0
queryPeriod: 1d
query: |
let isAdmin = true;
GitLabAudit
| where AuthenticationType == "standard" and ((isAdmin and TargetDetails contains "Administrator") or (isAdmin==false));
name: GitLab - Local Auth - No MFA
entityMappings:
- entityType: IP
fieldMappings:
- columnName: IPAddress
identifier: Address
- entityType: Account
fieldMappings:
- columnName: AuthorUserName
identifier: FullName
description: |
'This query checks GitLab Audit Logs to see if a user authenticated without MFA. Ot might mean that MFA was disabled for the GitLab server or that an external authentication provider was bypassed. This rule focuses on 'admin' privileges but the parameter can be adapted to also include all users.'
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GitLab/Analytic Rules/GitLab_LocalAuthNoMFA.yaml
tactics:
- CredentialAccess
triggerOperator: gt
relevantTechniques:
- T1110
version: 1.0.1
kind: Scheduled
status: Available
severity: Medium
queryFrequency: 1h
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/e0b45487-5c79-482d-8ac0-695de8c031af')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/e0b45487-5c79-482d-8ac0-695de8c031af')]",
"properties": {
"alertRuleTemplateName": "e0b45487-5c79-482d-8ac0-695de8c031af",
"customDetails": null,
"description": "'This query checks GitLab Audit Logs to see if a user authenticated without MFA. Ot might mean that MFA was disabled for the GitLab server or that an external authentication provider was bypassed. This rule focuses on 'admin' privileges but the parameter can be adapted to also include all users.'\n",
"displayName": "GitLab - Local Auth - No MFA",
"enabled": true,
"entityMappings": [
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "IPAddress",
"identifier": "Address"
}
]
},
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "AuthorUserName",
"identifier": "FullName"
}
]
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GitLab/Analytic Rules/GitLab_LocalAuthNoMFA.yaml",
"query": "let isAdmin = true;\nGitLabAudit\n| where AuthenticationType == \"standard\" and ((isAdmin and TargetDetails contains \"Administrator\") or (isAdmin==false));\n",
"queryFrequency": "PT1H",
"queryPeriod": "P1D",
"severity": "Medium",
"status": "Available",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"CredentialAccess"
],
"techniques": [
"T1110"
],
"templateVersion": "1.0.1",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}