Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. GitLab - Repository visibility to Public

GitLab - Repository visibility to Public

Back
Id8b291c3d-90ba-4ebf-af2c-0283192d430e
RulenameGitLab - Repository visibility to Public
DescriptionThis query leverages GitLab Audit Logs. A repository in GitLab changed visibility from Private or Internal to Public which could indicate compromise, error or misconfiguration leading to exposing the repository to the public.
SeverityMedium
TacticsPersistence
DefenseEvasion
CredentialAccess
TechniquesT1556
Required data connectorsSyslogAma
KindScheduled
Query frequency1h
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GitLab/Analytic Rules/GitLab_RepoVisibilityChange.yaml
Version1.0.1
Arm template8b291c3d-90ba-4ebf-af2c-0283192d430e.json
Deploy To Azure
GitLabAudit
| where SourceVisibility != "Public" and ChangeType == "visibility" and TargetVisibility == "Public"
| project TimeGenerated, EventTime, IPAddress, AuthorName, ChangeType, TargetType, SourceVisibility,  TargetVisibility, EntityName

id: 8b291c3d-90ba-4ebf-af2c-0283192d430e
tactics:
- Persistence
- DefenseEvasion
- CredentialAccess
queryPeriod: 1d
triggerThreshold: 0
name: GitLab - Repository visibility to Public
query: |
  GitLabAudit
  | where SourceVisibility != "Public" and ChangeType == "visibility" and TargetVisibility == "Public"
  | project TimeGenerated, EventTime, IPAddress, AuthorName, ChangeType, TargetType, SourceVisibility,  TargetVisibility, EntityName  
severity: Medium
triggerOperator: gt
kind: Scheduled
relevantTechniques:
- T1556
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GitLab/Analytic Rules/GitLab_RepoVisibilityChange.yaml
queryFrequency: 1h
requiredDataConnectors:
- connectorId: SyslogAma
  dataTypes:
  - Syslog
description: |
    'This query leverages GitLab Audit Logs. A repository in GitLab changed visibility from Private or Internal to Public which could indicate compromise, error or misconfiguration leading to exposing the repository to the public.'
status: Available
version: 1.0.1
entityMappings:
- fieldMappings:
  - columnName: IPAddress
    identifier: Address
  entityType: IP
- fieldMappings:
  - columnName: AuthorName
    identifier: FullName
  entityType: Account
- fieldMappings:
  - columnName: EntityName
    identifier: Url
  entityType: URL

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/8b291c3d-90ba-4ebf-af2c-0283192d430e')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/8b291c3d-90ba-4ebf-af2c-0283192d430e')]",
      "properties": {
        "alertRuleTemplateName": "8b291c3d-90ba-4ebf-af2c-0283192d430e",
        "customDetails": null,
        "description": "'This query leverages GitLab Audit Logs. A repository in GitLab changed visibility from Private or Internal to Public which could indicate compromise, error or misconfiguration leading to exposing the repository to the public.'\n",
        "displayName": "GitLab - Repository visibility to Public",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "IPAddress",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AuthorName",
                "identifier": "FullName"
              }
            ]
          },
          {
            "entityType": "URL",
            "fieldMappings": [
              {
                "columnName": "EntityName",
                "identifier": "Url"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GitLab/Analytic Rules/GitLab_RepoVisibilityChange.yaml",
        "query": "GitLabAudit\n| where SourceVisibility != \"Public\" and ChangeType == \"visibility\" and TargetVisibility == \"Public\"\n| project TimeGenerated, EventTime, IPAddress, AuthorName, ChangeType, TargetType, SourceVisibility,  TargetVisibility, EntityName\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "P1D",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CredentialAccess",
          "DefenseEvasion",
          "Persistence"
        ],
        "techniques": [
          "T1556"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}