Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. GitLab - User Impersonation

GitLab - User Impersonation

Back
Id0f4f16a2-b464-4c10-9a42-993da3e15a40
RulenameGitLab - User Impersonation
DescriptionThis queries GitLab Audit Logs for user impersonation. A malicious operator or a compromised admin account could leverage the impersonation feature of GitLab to change code or repository settings bypassing usual processes. This hunting queries allows you to track the audit actions done under impersonation.
SeverityMedium
TacticsPersistence
TechniquesT1078
Required data connectorsSyslogAma
KindScheduled
Query frequency1h
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GitLab/Analytic Rules/GitLab_Impersonation.yaml
Version1.0.2
Arm template0f4f16a2-b464-4c10-9a42-993da3e15a40.json
Deploy To Azure
let impersonationStart = (GitLabAudit
| where CustomMessage == 'Started Impersonation');
let impersonationStop = (GitLabAudit
| where CustomMessage == 'Stopped Impersonation');
impersonationStart
| join kind=inner impersonationStop on $left.TargetID == $right.TargetID and $left.AuthorID == $right.AuthorID 
| where EventTime1 > EventTime
| extend TimeGenerated, AuthorID, AuthorName, TargetID, TargetDetails = TargetDetails, IPStart = IPAddress, IPStop = IPAddress1, ImpStartTime = EventTime, ImpStopTime = EventTime1, EntityName
| join kind=inner (GitLabAudit | extend ActionTime = EventTime, AuthorName) on $left.TargetDetails == $right.AuthorName 
| where ImpStartTime < ActionTime and ActionTime > ImpStopTime

id: 0f4f16a2-b464-4c10-9a42-993da3e15a40
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GitLab/Analytic Rules/GitLab_Impersonation.yaml
entityMappings:
- fieldMappings:
  - identifier: Address
    columnName: IPStart
  entityType: IP
- fieldMappings:
  - identifier: Address
    columnName: IPStop
  entityType: IP
- fieldMappings:
  - identifier: FullName
    columnName: EntityName
  entityType: Account
- fieldMappings:
  - identifier: FullName
    columnName: TargetDetails
  entityType: Account
requiredDataConnectors:
- dataTypes:
  - Syslog
  connectorId: SyslogAma
queryFrequency: 1h
queryPeriod: 1d
status: Available
query: |
  let impersonationStart = (GitLabAudit
  | where CustomMessage == 'Started Impersonation');
  let impersonationStop = (GitLabAudit
  | where CustomMessage == 'Stopped Impersonation');
  impersonationStart
  | join kind=inner impersonationStop on $left.TargetID == $right.TargetID and $left.AuthorID == $right.AuthorID 
  | where EventTime1 > EventTime
  | extend TimeGenerated, AuthorID, AuthorName, TargetID, TargetDetails = TargetDetails, IPStart = IPAddress, IPStop = IPAddress1, ImpStartTime = EventTime, ImpStopTime = EventTime1, EntityName
  | join kind=inner (GitLabAudit | extend ActionTime = EventTime, AuthorName) on $left.TargetDetails == $right.AuthorName 
  | where ImpStartTime < ActionTime and ActionTime > ImpStopTime  
name: GitLab - User Impersonation
kind: Scheduled
tactics:
- Persistence
severity: Medium
relevantTechniques:
- T1078
triggerThreshold: 0
version: 1.0.2
description: |
    'This queries GitLab Audit Logs for user impersonation. A malicious operator or a compromised admin account could leverage the impersonation feature of GitLab to change code or repository settings bypassing usual processes. This hunting queries allows you to track the audit actions done under impersonation.'