Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. GitLab - Brute-force Attempts

GitLab - Brute-force Attempts

Back
Id2238d13a-cf05-4973-a83f-d12a25dbb153
RulenameGitLab - Brute-force Attempts
DescriptionThis query relies on GitLab Application Logs to get failed logins to highlight brute-force attempts from different IP addresses in a short space of time.
SeverityMedium
TacticsCredentialAccess
TechniquesT1110
Required data connectorsSyslogAma
KindScheduled
Query frequency1h
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GitLab/Analytic Rules/GitLab_BruteForce.yaml
Version1.0.1
Arm template2238d13a-cf05-4973-a83f-d12a25dbb153.json
Deploy To Azure
let LearningPeriod = 7d; 
let EndLearningTime = now();
let BinTime = 1h; 
let RunTime = 1h; 
let MinThreshold = 3.0; 
let GitLabFailedLogins = (GitLabApp
| where FailedLogin == 1
| parse kind=regex Message with "Failed Login: username=" User "ip=" IpAddress 
| project TimeGenerated, EventTime, Computer, User, HostName, HostIP, IpAddress);
GitLabFailedLogins 
| where EventTime between (ago(LearningPeriod) .. EndLearningTime) 
| summarize FailedLoginsCountInBinTime = count() by User, bin(EventTime, BinTime) 
| summarize AvgOfFailedLoginsInLearning = avg(FailedLoginsCountInBinTime), StdOfFailedLoginsInLearning = stdev(FailedLoginsCountInBinTime) by User 
| extend LearningThreshold = max_of(AvgOfFailedLoginsInLearning, MinThreshold) 
| join kind=innerunique ( GitLabFailedLogins 
| summarize FailedLoginsCountInRunTime = count() by User, IpAddress, EventTime = bin(EventTime, BinTime) ) on User 
| where FailedLoginsCountInRunTime >= LearningThreshold
| project User, IpAddress, EventTime, FailedLoginsCountInRunTime, LearningThreshold

description: |
    'This query relies on GitLab Application Logs to get failed logins to highlight brute-force attempts from different IP addresses in a short space of time.'
kind: Scheduled
tactics:
- CredentialAccess
requiredDataConnectors:
- connectorId: SyslogAma
  dataTypes:
  - Syslog
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GitLab/Analytic Rules/GitLab_BruteForce.yaml
severity: Medium
name: GitLab - Brute-force Attempts
triggerThreshold: 0
queryPeriod: 1d
query: |
  let LearningPeriod = 7d; 
  let EndLearningTime = now();
  let BinTime = 1h; 
  let RunTime = 1h; 
  let MinThreshold = 3.0; 
  let GitLabFailedLogins = (GitLabApp
  | where FailedLogin == 1
  | parse kind=regex Message with "Failed Login: username=" User "ip=" IpAddress 
  | project TimeGenerated, EventTime, Computer, User, HostName, HostIP, IpAddress);
  GitLabFailedLogins 
  | where EventTime between (ago(LearningPeriod) .. EndLearningTime) 
  | summarize FailedLoginsCountInBinTime = count() by User, bin(EventTime, BinTime) 
  | summarize AvgOfFailedLoginsInLearning = avg(FailedLoginsCountInBinTime), StdOfFailedLoginsInLearning = stdev(FailedLoginsCountInBinTime) by User 
  | extend LearningThreshold = max_of(AvgOfFailedLoginsInLearning, MinThreshold) 
  | join kind=innerunique ( GitLabFailedLogins 
  | summarize FailedLoginsCountInRunTime = count() by User, IpAddress, EventTime = bin(EventTime, BinTime) ) on User 
  | where FailedLoginsCountInRunTime >= LearningThreshold
  | project User, IpAddress, EventTime, FailedLoginsCountInRunTime, LearningThreshold  
relevantTechniques:
- T1110
id: 2238d13a-cf05-4973-a83f-d12a25dbb153
queryFrequency: 1h
status: Available
triggerOperator: gt
version: 1.0.1
entityMappings:
- entityType: IP
  fieldMappings:
  - columnName: IPAddress
    identifier: Address
- entityType: Account
  fieldMappings:
  - columnName: User
    identifier: FullName