Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

GitLab - Abnormal number of repositories deleted

Back
Id3efd09bd-a582-4410-b7ec-5ff21cfad7bd
RulenameGitLab - Abnormal number of repositories deleted
DescriptionThis hunting queries identify an unusual increase of repo deletion activities adversaries may want to disrupt availability or compromise integrity by deleting business data.
SeverityMedium
TacticsImpact
TechniquesT1485
Required data connectorsSyslog
KindScheduled
Query frequency1h
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GitLab/Analytic Rules/GitLab_Repo_Deletion.yaml
Version1.0.0
Arm template3efd09bd-a582-4410-b7ec-5ff21cfad7bd.json
Deploy To Azure
let LearningPeriod = 7d;
let BinTime = 1h;
let RunTime = 1h;
let StartTime = 1h;
let NumberOfStds = 3;
let MinThreshold = 10.0;
let EndRunTime = StartTime - RunTime;
let EndLearningTime = StartTime + LearningPeriod;
let GitLabRepositoryDestroyEvents = (GitLabAudit
| where RemoveAction == "project" or RemoveAction == "repository");
GitLabRepositoryDestroyEvents
| where TimeGenerated between (ago(EndLearningTime) .. ago(StartTime))
| summarize count() by bin(TimeGenerated, BinTime)
| summarize AvgInLearning = avg(count_), StdInLearning = stdev(count_)
| extend LearningThreshold = max_of(AvgInLearning + StdInLearning * NumberOfStds, MinThreshold)
| extend Dummy = 1
| join kind=innerunique (GitLabRepositoryDestroyEvents
| where TimeGenerated between (ago(StartTime) .. ago(EndRunTime))
| summarize CountInRunTime = count() by bin(TimeGenerated, BinTime)
| extend Dummy = 1) on Dummy
| project-away Dummy
| where CountInRunTime > LearningThreshold
queryFrequency: 1h
severity: Medium
id: 3efd09bd-a582-4410-b7ec-5ff21cfad7bd
status: Available
requiredDataConnectors:
- dataTypes:
  - Syslog
  connectorId: Syslog
kind: Scheduled
description: |
    'This hunting queries identify an unusual increase of repo deletion activities adversaries may want to disrupt availability or compromise integrity by deleting business data.'
query: |
  let LearningPeriod = 7d;
  let BinTime = 1h;
  let RunTime = 1h;
  let StartTime = 1h;
  let NumberOfStds = 3;
  let MinThreshold = 10.0;
  let EndRunTime = StartTime - RunTime;
  let EndLearningTime = StartTime + LearningPeriod;
  let GitLabRepositoryDestroyEvents = (GitLabAudit
  | where RemoveAction == "project" or RemoveAction == "repository");
  GitLabRepositoryDestroyEvents
  | where TimeGenerated between (ago(EndLearningTime) .. ago(StartTime))
  | summarize count() by bin(TimeGenerated, BinTime)
  | summarize AvgInLearning = avg(count_), StdInLearning = stdev(count_)
  | extend LearningThreshold = max_of(AvgInLearning + StdInLearning * NumberOfStds, MinThreshold)
  | extend Dummy = 1
  | join kind=innerunique (GitLabRepositoryDestroyEvents
  | where TimeGenerated between (ago(StartTime) .. ago(EndRunTime))
  | summarize CountInRunTime = count() by bin(TimeGenerated, BinTime)
  | extend Dummy = 1) on Dummy
  | project-away Dummy
  | where CountInRunTime > LearningThreshold  
tactics:
- Impact
triggerThreshold: 0
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GitLab/Analytic Rules/GitLab_Repo_Deletion.yaml
relevantTechniques:
- T1485
entityMappings:
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: IPAddress
- entityType: Account
  fieldMappings:
  - identifier: FullName
    columnName: AuthorName
version: 1.0.0
name: GitLab - Abnormal number of repositories deleted
queryPeriod: 1d
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2023-02-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/3efd09bd-a582-4410-b7ec-5ff21cfad7bd')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/3efd09bd-a582-4410-b7ec-5ff21cfad7bd')]",
      "properties": {
        "alertRuleTemplateName": "3efd09bd-a582-4410-b7ec-5ff21cfad7bd",
        "customDetails": null,
        "description": "'This hunting queries identify an unusual increase of repo deletion activities adversaries may want to disrupt availability or compromise integrity by deleting business data.'\n",
        "displayName": "GitLab - Abnormal number of repositories deleted",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "IPAddress",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AuthorName",
                "identifier": "FullName"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GitLab/Analytic Rules/GitLab_Repo_Deletion.yaml",
        "query": "let LearningPeriod = 7d;\nlet BinTime = 1h;\nlet RunTime = 1h;\nlet StartTime = 1h;\nlet NumberOfStds = 3;\nlet MinThreshold = 10.0;\nlet EndRunTime = StartTime - RunTime;\nlet EndLearningTime = StartTime + LearningPeriod;\nlet GitLabRepositoryDestroyEvents = (GitLabAudit\n| where RemoveAction == \"project\" or RemoveAction == \"repository\");\nGitLabRepositoryDestroyEvents\n| where TimeGenerated between (ago(EndLearningTime) .. ago(StartTime))\n| summarize count() by bin(TimeGenerated, BinTime)\n| summarize AvgInLearning = avg(count_), StdInLearning = stdev(count_)\n| extend LearningThreshold = max_of(AvgInLearning + StdInLearning * NumberOfStds, MinThreshold)\n| extend Dummy = 1\n| join kind=innerunique (GitLabRepositoryDestroyEvents\n| where TimeGenerated between (ago(StartTime) .. ago(EndRunTime))\n| summarize CountInRunTime = count() by bin(TimeGenerated, BinTime)\n| extend Dummy = 1) on Dummy\n| project-away Dummy\n| where CountInRunTime > LearningThreshold\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "P1D",
        "severity": "Medium",
        "status": "Available",
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Impact"
        ],
        "techniques": [
          "T1485"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}