GitLab - Abnormal number of repositories deleted

Back


Id	3efd09bd-a582-4410-b7ec-5ff21cfad7bd
Rulename	GitLab - Abnormal number of repositories deleted
Description	This hunting queries identify an unusual increase of repo deletion activities adversaries may want to disrupt availability or compromise integrity by deleting business data.
Severity	Medium
Tactics	Impact
Techniques	T1485
Required data connectors	SyslogAma
Kind	Scheduled
Query frequency	1h
Query period	1d
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GitLab/Analytic Rules/GitLab_Repo_Deletion.yaml
Version	1.0.1
Arm template	3efd09bd-a582-4410-b7ec-5ff21cfad7bd.json

KQL

let LearningPeriod = 7d;
let BinTime = 1h;
let RunTime = 1h;
let StartTime = 1h;
let NumberOfStds = 3;
let MinThreshold = 10.0;
let EndRunTime = StartTime - RunTime;
let EndLearningTime = StartTime + LearningPeriod;
let GitLabRepositoryDestroyEvents = (GitLabAudit
| where RemoveAction == "project" or RemoveAction == "repository");
GitLabRepositoryDestroyEvents
| where TimeGenerated between (ago(EndLearningTime) .. ago(StartTime))
| summarize count() by bin(TimeGenerated, BinTime)
| summarize AvgInLearning = avg(count_), StdInLearning = stdev(count_)
| extend LearningThreshold = max_of(AvgInLearning + StdInLearning * NumberOfStds, MinThreshold)
| extend Dummy = 1
| join kind=innerunique (GitLabRepositoryDestroyEvents
| where TimeGenerated between (ago(StartTime) .. ago(EndRunTime))
| summarize CountInRunTime = count() by bin(TimeGenerated, BinTime)
| extend Dummy = 1) on Dummy
| project-away Dummy
| where CountInRunTime > LearningThreshold

YAML

triggerOperator: gt
queryFrequency: 1h
requiredDataConnectors:
- connectorId: SyslogAma
  dataTypes:
  - Syslog
relevantTechniques:
- T1485
entityMappings:
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: IPAddress
- entityType: Account
  fieldMappings:
  - identifier: FullName
    columnName: AuthorName
query: |
  let LearningPeriod = 7d;
  let BinTime = 1h;
  let RunTime = 1h;
  let StartTime = 1h;
  let NumberOfStds = 3;
  let MinThreshold = 10.0;
  let EndRunTime = StartTime - RunTime;
  let EndLearningTime = StartTime + LearningPeriod;
  let GitLabRepositoryDestroyEvents = (GitLabAudit
  | where RemoveAction == "project" or RemoveAction == "repository");
  GitLabRepositoryDestroyEvents
  | where TimeGenerated between (ago(EndLearningTime) .. ago(StartTime))
  | summarize count() by bin(TimeGenerated, BinTime)
  | summarize AvgInLearning = avg(count_), StdInLearning = stdev(count_)
  | extend LearningThreshold = max_of(AvgInLearning + StdInLearning * NumberOfStds, MinThreshold)
  | extend Dummy = 1
  | join kind=innerunique (GitLabRepositoryDestroyEvents
  | where TimeGenerated between (ago(StartTime) .. ago(EndRunTime))
  | summarize CountInRunTime = count() by bin(TimeGenerated, BinTime)
  | extend Dummy = 1) on Dummy
  | project-away Dummy
  | where CountInRunTime > LearningThreshold  
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GitLab/Analytic Rules/GitLab_Repo_Deletion.yaml
queryPeriod: 1d
name: GitLab - Abnormal number of repositories deleted
status: Available
kind: Scheduled
description: |
    'This hunting queries identify an unusual increase of repo deletion activities adversaries may want to disrupt availability or compromise integrity by deleting business data.'
id: 3efd09bd-a582-4410-b7ec-5ff21cfad7bd
version: 1.0.1
tactics:
- Impact
severity: Medium

ARM