let locationCountMin = 1;
let appRegistrationName = "GitLab";
SigninLogs
| where AppDisplayName == appRegistrationName
| where ResultType == 0
| where Location != ""
| summarize CountOfLocations = dcount(Location), Locations = make_set(Location) by User = Identity
| where CountOfLocations > locationCountMin
entityMappings:
- fieldMappings:
- columnName: User
identifier: FullName
entityType: Account
severity: Medium
name: GitLab - SSO - Sign-Ins Burst
triggerThreshold: 0
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GitLab/Analytic Rules/GitLab_SignInBurst.yaml
id: 57b1634b-531d-4eab-a456-8b855887428f
kind: Scheduled
status: Available
queryFrequency: 1h
relevantTechniques:
- T1110
description: |
'This query relies on Microsoft Entra ID sign-in activity when Microsoft Entra ID is used for SSO with GitLab to highlights GitLab accounts associated with multiple authentications from different geographical locations in a short space of time.'
query: |
let locationCountMin = 1;
let appRegistrationName = "GitLab";
SigninLogs
| where AppDisplayName == appRegistrationName
| where ResultType == 0
| where Location != ""
| summarize CountOfLocations = dcount(Location), Locations = make_set(Location) by User = Identity
| where CountOfLocations > locationCountMin
version: 1.0.1
tactics:
- CredentialAccess
queryPeriod: 1d
requiredDataConnectors:
- dataTypes:
- SigninLogs
connectorId: AzureActiveDirectory
