GitLab - Personal Access Tokens creation over time

// l_min_tokens_created - minimum tokens created per repository per user per day to consider
let l_min_tokens_created = 0;
let interval = 1d;
GitLabAudit
| where TargetType == "PersonalAccessToken"
| project Severity, TimeGenerated = bin(todatetime(EventTime),1d), AuthorName, IPAddress, Repository = EntityName, Action, TargetType
| summarize total = count() by Repository, TimeGenerated, AuthorName
| where total >= l_min_tokens_created

relevantTechniques:
- T1213
entityMappings:
- fieldMappings:
  - columnName: AuthorName
    identifier: FullName
  entityType: Account
triggerThreshold: 0
description: |
  'This queries GitLab Audit Logs for access tokens. Attacker can exfiltrate data from you GitLab repository after gaining access to it by generating or hijacking access tokens. 
  This hunting queries allows you to track the personal access tokens creation for each of your repositories. 
  The visualization allow you to quickly identify anomalies/excessive creation, to further investigate repo access & permissions.'  
requiredDataConnectors:
- connectorId: SyslogAma
  dataTypes:
  - Syslog
triggerOperator: gt
version: 1.0.1
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GitLab/Analytic Rules/GitLab_PAT_Repo.yaml
id: 4d6d8b0e-6d9a-4857-a141-f5d89393cddb
queryFrequency: 1h
query: |
  // l_min_tokens_created - minimum tokens created per repository per user per day to consider
  let l_min_tokens_created = 0;
  let interval = 1d;
  GitLabAudit
  | where TargetType == "PersonalAccessToken"
  | project Severity, TimeGenerated = bin(todatetime(EventTime),1d), AuthorName, IPAddress, Repository = EntityName, Action, TargetType
  | summarize total = count() by Repository, TimeGenerated, AuthorName
  | where total >= l_min_tokens_created  
severity: Medium
status: Available
queryPeriod: 1d
name: GitLab - Personal Access Tokens creation over time
tactics:
- Collection
kind: Scheduled