GitLab - Personal Access Tokens creation over time
Id | 4d6d8b0e-6d9a-4857-a141-f5d89393cddb |
Rulename | GitLab - Personal Access Tokens creation over time |
Description | This queries GitLab Audit Logs for access tokens. Attacker can exfiltrate data from you GitLab repository after gaining access to it by generating or hijacking access tokens. This hunting queries allows you to track the personal access tokens creation for each of your repositories. The visualization allow you to quickly identify anomalies/excessive creation, to further investigate repo access & permissions. |
Severity | Medium |
Tactics | Collection |
Techniques | T1213 |
Required data connectors | SyslogAma |
Kind | Scheduled |
Query frequency | 1h |
Query period | 1d |
Trigger threshold | 0 |
Trigger operator | gt |
Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GitLab/Analytic Rules/GitLab_PAT_Repo.yaml |
Version | 1.0.1 |
Arm template | 4d6d8b0e-6d9a-4857-a141-f5d89393cddb.json |
// l_min_tokens_created - minimum tokens created per repository per user per day to consider
let l_min_tokens_created = 0;
let interval = 1d;
GitLabAudit
| where TargetType == "PersonalAccessToken"
| project Severity, TimeGenerated = bin(todatetime(EventTime),1d), AuthorName, IPAddress, Repository = EntityName, Action, TargetType
| summarize total = count() by Repository, TimeGenerated, AuthorName
| where total >= l_min_tokens_created
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GitLab/Analytic Rules/GitLab_PAT_Repo.yaml
queryPeriod: 1d
requiredDataConnectors:
- dataTypes:
- Syslog
connectorId: SyslogAma
relevantTechniques:
- T1213
queryFrequency: 1h
entityMappings:
- entityType: Account
fieldMappings:
- columnName: AuthorName
identifier: FullName
kind: Scheduled
query: |
// l_min_tokens_created - minimum tokens created per repository per user per day to consider
let l_min_tokens_created = 0;
let interval = 1d;
GitLabAudit
| where TargetType == "PersonalAccessToken"
| project Severity, TimeGenerated = bin(todatetime(EventTime),1d), AuthorName, IPAddress, Repository = EntityName, Action, TargetType
| summarize total = count() by Repository, TimeGenerated, AuthorName
| where total >= l_min_tokens_created
id: 4d6d8b0e-6d9a-4857-a141-f5d89393cddb
description: |
'This queries GitLab Audit Logs for access tokens. Attacker can exfiltrate data from you GitLab repository after gaining access to it by generating or hijacking access tokens.
This hunting queries allows you to track the personal access tokens creation for each of your repositories.
The visualization allow you to quickly identify anomalies/excessive creation, to further investigate repo access & permissions.'
name: GitLab - Personal Access Tokens creation over time
tactics:
- Collection
version: 1.0.1
severity: Medium
status: Available
triggerThreshold: 0
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/4d6d8b0e-6d9a-4857-a141-f5d89393cddb')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/4d6d8b0e-6d9a-4857-a141-f5d89393cddb')]",
"properties": {
"alertRuleTemplateName": "4d6d8b0e-6d9a-4857-a141-f5d89393cddb",
"customDetails": null,
"description": "'This queries GitLab Audit Logs for access tokens. Attacker can exfiltrate data from you GitLab repository after gaining access to it by generating or hijacking access tokens. \nThis hunting queries allows you to track the personal access tokens creation for each of your repositories. \nThe visualization allow you to quickly identify anomalies/excessive creation, to further investigate repo access & permissions.'\n",
"displayName": "GitLab - Personal Access Tokens creation over time",
"enabled": true,
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "AuthorName",
"identifier": "FullName"
}
]
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GitLab/Analytic Rules/GitLab_PAT_Repo.yaml",
"query": "// l_min_tokens_created - minimum tokens created per repository per user per day to consider\nlet l_min_tokens_created = 0;\nlet interval = 1d;\nGitLabAudit\n| where TargetType == \"PersonalAccessToken\"\n| project Severity, TimeGenerated = bin(todatetime(EventTime),1d), AuthorName, IPAddress, Repository = EntityName, Action, TargetType\n| summarize total = count() by Repository, TimeGenerated, AuthorName\n| where total >= l_min_tokens_created\n",
"queryFrequency": "PT1H",
"queryPeriod": "P1D",
"severity": "Medium",
"status": "Available",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"Collection"
],
"techniques": [
"T1213"
],
"templateVersion": "1.0.1",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}