Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. GitLab - Personal Access Tokens creation over time

GitLab - Personal Access Tokens creation over time

Back
Id4d6d8b0e-6d9a-4857-a141-f5d89393cddb
RulenameGitLab - Personal Access Tokens creation over time
DescriptionThis queries GitLab Audit Logs for access tokens. Attacker can exfiltrate data from you GitLab repository after gaining access to it by generating or hijacking access tokens.

This hunting queries allows you to track the personal access tokens creation for each of your repositories.

The visualization allow you to quickly identify anomalies/excessive creation, to further investigate repo access & permissions.
SeverityMedium
TacticsCollection
TechniquesT1213
Required data connectorsSyslog
KindScheduled
Query frequency1h
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GitLab/Analytic Rules/GitLab_PAT_Repo.yaml
Version1.0.0
Arm template4d6d8b0e-6d9a-4857-a141-f5d89393cddb.json
Deploy To Azure
// l_min_tokens_created - minimum tokens created per repository per user per day to consider
let l_min_tokens_created = 0;
let interval = 1d;
GitLabAudit
| where TargetType == "PersonalAccessToken"
| project Severity, TimeGenerated = bin(todatetime(EventTime),1d), AuthorName, IPAddress, Repository = EntityName, Action, TargetType
| summarize total = count() by Repository, TimeGenerated, AuthorName
| where total >= l_min_tokens_created

relevantTechniques:
- T1213
name: GitLab - Personal Access Tokens creation over time
requiredDataConnectors:
- dataTypes:
  - Syslog
  connectorId: Syslog
entityMappings:
- fieldMappings:
  - identifier: FullName
    columnName: AuthorName
  entityType: Account
triggerThreshold: 0
id: 4d6d8b0e-6d9a-4857-a141-f5d89393cddb
tactics:
- Collection
version: 1.0.0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GitLab/Analytic Rules/GitLab_PAT_Repo.yaml
queryPeriod: 1d
kind: Scheduled
queryFrequency: 1h
severity: Medium
status: Available
description: |
  'This queries GitLab Audit Logs for access tokens. Attacker can exfiltrate data from you GitLab repository after gaining access to it by generating or hijacking access tokens. 
  This hunting queries allows you to track the personal access tokens creation for each of your repositories. 
  The visualization allow you to quickly identify anomalies/excessive creation, to further investigate repo access & permissions.'  
query: |
  // l_min_tokens_created - minimum tokens created per repository per user per day to consider
  let l_min_tokens_created = 0;
  let interval = 1d;
  GitLabAudit
  | where TargetType == "PersonalAccessToken"
  | project Severity, TimeGenerated = bin(todatetime(EventTime),1d), AuthorName, IPAddress, Repository = EntityName, Action, TargetType
  | summarize total = count() by Repository, TimeGenerated, AuthorName
  | where total >= l_min_tokens_created  
triggerOperator: gt

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/4d6d8b0e-6d9a-4857-a141-f5d89393cddb')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/4d6d8b0e-6d9a-4857-a141-f5d89393cddb')]",
      "properties": {
        "alertRuleTemplateName": "4d6d8b0e-6d9a-4857-a141-f5d89393cddb",
        "customDetails": null,
        "description": "'This queries GitLab Audit Logs for access tokens. Attacker can exfiltrate data from you GitLab repository after gaining access to it by generating or hijacking access tokens. \nThis hunting queries allows you to track the personal access tokens creation for each of your repositories. \nThe visualization allow you to quickly identify anomalies/excessive creation, to further investigate repo access & permissions.'\n",
        "displayName": "GitLab - Personal Access Tokens creation over time",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AuthorName",
                "identifier": "FullName"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GitLab/Analytic Rules/GitLab_PAT_Repo.yaml",
        "query": "// l_min_tokens_created - minimum tokens created per repository per user per day to consider\nlet l_min_tokens_created = 0;\nlet interval = 1d;\nGitLabAudit\n| where TargetType == \"PersonalAccessToken\"\n| project Severity, TimeGenerated = bin(todatetime(EventTime),1d), AuthorName, IPAddress, Repository = EntityName, Action, TargetType\n| summarize total = count() by Repository, TimeGenerated, AuthorName\n| where total >= l_min_tokens_created\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "P1D",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Collection"
        ],
        "techniques": [
          "T1213"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}