Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

GitLab - User Impersonation

Back
Id0f4f16a2-b464-4c10-9a42-993da3e15a40
RulenameGitLab - User Impersonation
DescriptionThis queries GitLab Audit Logs for user impersonation. A malicious operator or a compromised admin account could leverage the impersonation feature of GitLab to change code or repository settings bypassing usual processes. This hunting queries allows you to track the audit actions done under impersonation.
SeverityMedium
TacticsPersistence
TechniquesT1078
Required data connectorsSyslog
KindScheduled
Query frequency1h
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GitLab/Analytic Rules/GitLab_Impersonation.yaml
Version1.0.1
Arm template0f4f16a2-b464-4c10-9a42-993da3e15a40.json
Deploy To Azure
let impersonationStart = (GitLabAudit
| where CustomMessage == 'Started Impersonation');
let impersonationStop = (GitLabAudit
| where CustomMessage == 'Stopped Impersonation');
impersonationStart
| join kind=inner impersonationStop on $left.TargetID == $right.TargetID and $left.AuthorID == $right.AuthorID 
| where EventTime1 > EventTime
| extend TimeGenerated, AuthorID, AuthorName, TargetID, TargetDetails = TargetDetails, IPStart = IPAddress, IPStop = IPAddress1, ImpStartTime = EventTime, ImpStopTime = EventTime1, EntityName
| join kind=inner (GitLabAudit | extend ActionTime = EventTime, AuthorName) on $left.TargetDetails == $right.AuthorName 
| where ImpStartTime < ActionTime and ActionTime > ImpStopTime
status: Available
queryFrequency: 1h
description: |
    'This queries GitLab Audit Logs for user impersonation. A malicious operator or a compromised admin account could leverage the impersonation feature of GitLab to change code or repository settings bypassing usual processes. This hunting queries allows you to track the audit actions done under impersonation.'
severity: Medium
version: 1.0.1
relevantTechniques:
- T1078
name: GitLab - User Impersonation
triggerThreshold: 0
kind: Scheduled
query: |
  let impersonationStart = (GitLabAudit
  | where CustomMessage == 'Started Impersonation');
  let impersonationStop = (GitLabAudit
  | where CustomMessage == 'Stopped Impersonation');
  impersonationStart
  | join kind=inner impersonationStop on $left.TargetID == $right.TargetID and $left.AuthorID == $right.AuthorID 
  | where EventTime1 > EventTime
  | extend TimeGenerated, AuthorID, AuthorName, TargetID, TargetDetails = TargetDetails, IPStart = IPAddress, IPStop = IPAddress1, ImpStartTime = EventTime, ImpStopTime = EventTime1, EntityName
  | join kind=inner (GitLabAudit | extend ActionTime = EventTime, AuthorName) on $left.TargetDetails == $right.AuthorName 
  | where ImpStartTime < ActionTime and ActionTime > ImpStopTime  
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GitLab/Analytic Rules/GitLab_Impersonation.yaml
requiredDataConnectors:
- connectorId: Syslog
  dataTypes:
  - Syslog
tactics:
- Persistence
id: 0f4f16a2-b464-4c10-9a42-993da3e15a40
queryPeriod: 1d
entityMappings:
- fieldMappings:
  - columnName: IPStart
    identifier: Address
  entityType: IP
- fieldMappings:
  - columnName: IPStop
    identifier: Address
  entityType: IP
- fieldMappings:
  - columnName: EntityName
    identifier: FullName
  entityType: Account
- fieldMappings:
  - columnName: TargetDetails
    identifier: FullName
  entityType: Account
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/0f4f16a2-b464-4c10-9a42-993da3e15a40')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/0f4f16a2-b464-4c10-9a42-993da3e15a40')]",
      "properties": {
        "alertRuleTemplateName": "0f4f16a2-b464-4c10-9a42-993da3e15a40",
        "customDetails": null,
        "description": "'This queries GitLab Audit Logs for user impersonation. A malicious operator or a compromised admin account could leverage the impersonation feature of GitLab to change code or repository settings bypassing usual processes. This hunting queries allows you to track the audit actions done under impersonation.'\n",
        "displayName": "GitLab - User Impersonation",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "IPStart",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "IPStop",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "EntityName",
                "identifier": "FullName"
              }
            ]
          },
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "TargetDetails",
                "identifier": "FullName"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GitLab/Analytic Rules/GitLab_Impersonation.yaml",
        "query": "let impersonationStart = (GitLabAudit\n| where CustomMessage == 'Started Impersonation');\nlet impersonationStop = (GitLabAudit\n| where CustomMessage == 'Stopped Impersonation');\nimpersonationStart\n| join kind=inner impersonationStop on $left.TargetID == $right.TargetID and $left.AuthorID == $right.AuthorID \n| where EventTime1 > EventTime\n| extend TimeGenerated, AuthorID, AuthorName, TargetID, TargetDetails = TargetDetails, IPStart = IPAddress, IPStop = IPAddress1, ImpStartTime = EventTime, ImpStopTime = EventTime1, EntityName\n| join kind=inner (GitLabAudit | extend ActionTime = EventTime, AuthorName) on $left.TargetDetails == $right.AuthorName \n| where ImpStartTime < ActionTime and ActionTime > ImpStopTime\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "P1D",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Persistence"
        ],
        "techniques": [
          "T1078"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}