Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. GitLab - User Impersonation

GitLab - User Impersonation

Back
Id0f4f16a2-b464-4c10-9a42-993da3e15a40
RulenameGitLab - User Impersonation
DescriptionThis queries GitLab Audit Logs for user impersonation. A malicious operator or a compromised admin account could leverage the impersonation feature of GitLab to change code or repository settings bypassing usual processes. This hunting queries allows you to track the audit actions done under impersonation.
SeverityMedium
TacticsPersistence
TechniquesT1078
Required data connectorsSyslogAma
KindScheduled
Query frequency1h
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GitLab/Analytic Rules/GitLab_Impersonation.yaml
Version1.0.2
Arm template0f4f16a2-b464-4c10-9a42-993da3e15a40.json
Deploy To Azure
let impersonationStart = (GitLabAudit
| where CustomMessage == 'Started Impersonation');
let impersonationStop = (GitLabAudit
| where CustomMessage == 'Stopped Impersonation');
impersonationStart
| join kind=inner impersonationStop on $left.TargetID == $right.TargetID and $left.AuthorID == $right.AuthorID 
| where EventTime1 > EventTime
| extend TimeGenerated, AuthorID, AuthorName, TargetID, TargetDetails = TargetDetails, IPStart = IPAddress, IPStop = IPAddress1, ImpStartTime = EventTime, ImpStopTime = EventTime1, EntityName
| join kind=inner (GitLabAudit | extend ActionTime = EventTime, AuthorName) on $left.TargetDetails == $right.AuthorName 
| where ImpStartTime < ActionTime and ActionTime > ImpStopTime

relevantTechniques:
- T1078
entityMappings:
- entityType: IP
  fieldMappings:
  - columnName: IPStart
    identifier: Address
- entityType: IP
  fieldMappings:
  - columnName: IPStop
    identifier: Address
- entityType: Account
  fieldMappings:
  - columnName: EntityName
    identifier: FullName
- entityType: Account
  fieldMappings:
  - columnName: TargetDetails
    identifier: FullName
version: 1.0.2
id: 0f4f16a2-b464-4c10-9a42-993da3e15a40
severity: Medium
kind: Scheduled
queryFrequency: 1h
description: |
    'This queries GitLab Audit Logs for user impersonation. A malicious operator or a compromised admin account could leverage the impersonation feature of GitLab to change code or repository settings bypassing usual processes. This hunting queries allows you to track the audit actions done under impersonation.'
requiredDataConnectors:
- connectorId: SyslogAma
  dataTypes:
  - Syslog
triggerOperator: gt
name: GitLab - User Impersonation
tactics:
- Persistence
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GitLab/Analytic Rules/GitLab_Impersonation.yaml
triggerThreshold: 0
queryPeriod: 1d
query: |
  let impersonationStart = (GitLabAudit
  | where CustomMessage == 'Started Impersonation');
  let impersonationStop = (GitLabAudit
  | where CustomMessage == 'Stopped Impersonation');
  impersonationStart
  | join kind=inner impersonationStop on $left.TargetID == $right.TargetID and $left.AuthorID == $right.AuthorID 
  | where EventTime1 > EventTime
  | extend TimeGenerated, AuthorID, AuthorName, TargetID, TargetDetails = TargetDetails, IPStart = IPAddress, IPStop = IPAddress1, ImpStartTime = EventTime, ImpStopTime = EventTime1, EntityName
  | join kind=inner (GitLabAudit | extend ActionTime = EventTime, AuthorName) on $left.TargetDetails == $right.AuthorName 
  | where ImpStartTime < ActionTime and ActionTime > ImpStopTime  
status: Available