Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. GitLab - Abnormal number of repositories deleted

GitLab - Abnormal number of repositories deleted

Back
Id3efd09bd-a582-4410-b7ec-5ff21cfad7bd
RulenameGitLab - Abnormal number of repositories deleted
DescriptionThis hunting queries identify an unusual increase of repo deletion activities adversaries may want to disrupt availability or compromise integrity by deleting business data.
SeverityMedium
TacticsImpact
TechniquesT1485
Required data connectorsSyslogAma
KindScheduled
Query frequency1h
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GitLab/Analytic Rules/GitLab_Repo_Deletion.yaml
Version1.0.1
Arm template3efd09bd-a582-4410-b7ec-5ff21cfad7bd.json
Deploy To Azure
let LearningPeriod = 7d;
let BinTime = 1h;
let RunTime = 1h;
let StartTime = 1h;
let NumberOfStds = 3;
let MinThreshold = 10.0;
let EndRunTime = StartTime - RunTime;
let EndLearningTime = StartTime + LearningPeriod;
let GitLabRepositoryDestroyEvents = (GitLabAudit
| where RemoveAction == "project" or RemoveAction == "repository");
GitLabRepositoryDestroyEvents
| where TimeGenerated between (ago(EndLearningTime) .. ago(StartTime))
| summarize count() by bin(TimeGenerated, BinTime)
| summarize AvgInLearning = avg(count_), StdInLearning = stdev(count_)
| extend LearningThreshold = max_of(AvgInLearning + StdInLearning * NumberOfStds, MinThreshold)
| extend Dummy = 1
| join kind=innerunique (GitLabRepositoryDestroyEvents
| where TimeGenerated between (ago(StartTime) .. ago(EndRunTime))
| summarize CountInRunTime = count() by bin(TimeGenerated, BinTime)
| extend Dummy = 1) on Dummy
| project-away Dummy
| where CountInRunTime > LearningThreshold

description: |
    'This hunting queries identify an unusual increase of repo deletion activities adversaries may want to disrupt availability or compromise integrity by deleting business data.'
kind: Scheduled
tactics:
- Impact
requiredDataConnectors:
- connectorId: SyslogAma
  dataTypes:
  - Syslog
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GitLab/Analytic Rules/GitLab_Repo_Deletion.yaml
severity: Medium
name: GitLab - Abnormal number of repositories deleted
triggerThreshold: 0
queryPeriod: 1d
query: |
  let LearningPeriod = 7d;
  let BinTime = 1h;
  let RunTime = 1h;
  let StartTime = 1h;
  let NumberOfStds = 3;
  let MinThreshold = 10.0;
  let EndRunTime = StartTime - RunTime;
  let EndLearningTime = StartTime + LearningPeriod;
  let GitLabRepositoryDestroyEvents = (GitLabAudit
  | where RemoveAction == "project" or RemoveAction == "repository");
  GitLabRepositoryDestroyEvents
  | where TimeGenerated between (ago(EndLearningTime) .. ago(StartTime))
  | summarize count() by bin(TimeGenerated, BinTime)
  | summarize AvgInLearning = avg(count_), StdInLearning = stdev(count_)
  | extend LearningThreshold = max_of(AvgInLearning + StdInLearning * NumberOfStds, MinThreshold)
  | extend Dummy = 1
  | join kind=innerunique (GitLabRepositoryDestroyEvents
  | where TimeGenerated between (ago(StartTime) .. ago(EndRunTime))
  | summarize CountInRunTime = count() by bin(TimeGenerated, BinTime)
  | extend Dummy = 1) on Dummy
  | project-away Dummy
  | where CountInRunTime > LearningThreshold  
relevantTechniques:
- T1485
id: 3efd09bd-a582-4410-b7ec-5ff21cfad7bd
queryFrequency: 1h
status: Available
triggerOperator: gt
version: 1.0.1
entityMappings:
- entityType: IP
  fieldMappings:
  - columnName: IPAddress
    identifier: Address
- entityType: Account
  fieldMappings:
  - columnName: AuthorName
    identifier: FullName