GitLab - User Impersonation
| Id | 0f4f16a2-b464-4c10-9a42-993da3e15a40 |
| Rulename | GitLab - User Impersonation |
| Description | This queries GitLab Audit Logs for user impersonation. A malicious operator or a compromised admin account could leverage the impersonation feature of GitLab to change code or repository settings bypassing usual processes. This hunting queries allows you to track the audit actions done under impersonation. |
| Severity | Medium |
| Tactics | Persistence |
| Techniques | T1078 |
| Required data connectors | SyslogAma |
| Kind | Scheduled |
| Query frequency | 1h |
| Query period | 1d |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GitLab/Analytic Rules/GitLab_Impersonation.yaml |
| Version | 1.0.2 |
| Arm template | 0f4f16a2-b464-4c10-9a42-993da3e15a40.json |
let impersonationStart = (GitLabAudit
| where CustomMessage == 'Started Impersonation');
let impersonationStop = (GitLabAudit
| where CustomMessage == 'Stopped Impersonation');
impersonationStart
| join kind=inner impersonationStop on $left.TargetID == $right.TargetID and $left.AuthorID == $right.AuthorID
| where EventTime1 > EventTime
| extend TimeGenerated, AuthorID, AuthorName, TargetID, TargetDetails = TargetDetails, IPStart = IPAddress, IPStop = IPAddress1, ImpStartTime = EventTime, ImpStopTime = EventTime1, EntityName
| join kind=inner (GitLabAudit | extend ActionTime = EventTime, AuthorName) on $left.TargetDetails == $right.AuthorName
| where ImpStartTime < ActionTime and ActionTime > ImpStopTime
kind: Scheduled
triggerThreshold: 0
tactics:
- Persistence
id: 0f4f16a2-b464-4c10-9a42-993da3e15a40
query: |
let impersonationStart = (GitLabAudit
| where CustomMessage == 'Started Impersonation');
let impersonationStop = (GitLabAudit
| where CustomMessage == 'Stopped Impersonation');
impersonationStart
| join kind=inner impersonationStop on $left.TargetID == $right.TargetID and $left.AuthorID == $right.AuthorID
| where EventTime1 > EventTime
| extend TimeGenerated, AuthorID, AuthorName, TargetID, TargetDetails = TargetDetails, IPStart = IPAddress, IPStop = IPAddress1, ImpStartTime = EventTime, ImpStopTime = EventTime1, EntityName
| join kind=inner (GitLabAudit | extend ActionTime = EventTime, AuthorName) on $left.TargetDetails == $right.AuthorName
| where ImpStartTime < ActionTime and ActionTime > ImpStopTime
requiredDataConnectors:
- dataTypes:
- Syslog
connectorId: SyslogAma
name: GitLab - User Impersonation
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPStart
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPStop
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: EntityName
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: TargetDetails
status: Available
description: |
'This queries GitLab Audit Logs for user impersonation. A malicious operator or a compromised admin account could leverage the impersonation feature of GitLab to change code or repository settings bypassing usual processes. This hunting queries allows you to track the audit actions done under impersonation.'
severity: Medium
queryFrequency: 1h
version: 1.0.2
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GitLab/Analytic Rules/GitLab_Impersonation.yaml
relevantTechniques:
- T1078
queryPeriod: 1d
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/0f4f16a2-b464-4c10-9a42-993da3e15a40')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/0f4f16a2-b464-4c10-9a42-993da3e15a40')]",
"properties": {
"alertRuleTemplateName": "0f4f16a2-b464-4c10-9a42-993da3e15a40",
"customDetails": null,
"description": "'This queries GitLab Audit Logs for user impersonation. A malicious operator or a compromised admin account could leverage the impersonation feature of GitLab to change code or repository settings bypassing usual processes. This hunting queries allows you to track the audit actions done under impersonation.'\n",
"displayName": "GitLab - User Impersonation",
"enabled": true,
"entityMappings": [
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "IPStart",
"identifier": "Address"
}
]
},
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "IPStop",
"identifier": "Address"
}
]
},
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "EntityName",
"identifier": "FullName"
}
]
},
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "TargetDetails",
"identifier": "FullName"
}
]
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GitLab/Analytic Rules/GitLab_Impersonation.yaml",
"query": "let impersonationStart = (GitLabAudit\n| where CustomMessage == 'Started Impersonation');\nlet impersonationStop = (GitLabAudit\n| where CustomMessage == 'Stopped Impersonation');\nimpersonationStart\n| join kind=inner impersonationStop on $left.TargetID == $right.TargetID and $left.AuthorID == $right.AuthorID \n| where EventTime1 > EventTime\n| extend TimeGenerated, AuthorID, AuthorName, TargetID, TargetDetails = TargetDetails, IPStart = IPAddress, IPStop = IPAddress1, ImpStartTime = EventTime, ImpStopTime = EventTime1, EntityName\n| join kind=inner (GitLabAudit | extend ActionTime = EventTime, AuthorName) on $left.TargetDetails == $right.AuthorName \n| where ImpStartTime < ActionTime and ActionTime > ImpStopTime\n",
"queryFrequency": "PT1H",
"queryPeriod": "P1D",
"severity": "Medium",
"status": "Available",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"Persistence"
],
"techniques": [
"T1078"
],
"templateVersion": "1.0.2",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}