let locationCountMin = 1;
let appRegistrationName = "GitLab";
SigninLogs
| where AppDisplayName == appRegistrationName
| where ResultType == 0
| where Location != ""
| summarize CountOfLocations = dcount(Location), Locations = make_set(Location) by User = Identity
| where CountOfLocations > locationCountMin
relevantTechniques:
- T1110
entityMappings:
- fieldMappings:
- columnName: User
identifier: FullName
entityType: Account
triggerThreshold: 0
description: |
'This query relies on Microsoft Entra ID sign-in activity when Microsoft Entra ID is used for SSO with GitLab to highlights GitLab accounts associated with multiple authentications from different geographical locations in a short space of time.'
requiredDataConnectors:
- connectorId: AzureActiveDirectory
dataTypes:
- SigninLogs
triggerOperator: gt
version: 1.0.1
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GitLab/Analytic Rules/GitLab_SignInBurst.yaml
id: 57b1634b-531d-4eab-a456-8b855887428f
queryFrequency: 1h
query: |
let locationCountMin = 1;
let appRegistrationName = "GitLab";
SigninLogs
| where AppDisplayName == appRegistrationName
| where ResultType == 0
| where Location != ""
| summarize CountOfLocations = dcount(Location), Locations = make_set(Location) by User = Identity
| where CountOfLocations > locationCountMin
severity: Medium
status: Available
queryPeriod: 1d
name: GitLab - SSO - Sign-Ins Burst
tactics:
- CredentialAccess
kind: Scheduled
