GitLab - Repository visibility to Public

Back


Id	8b291c3d-90ba-4ebf-af2c-0283192d430e
Rulename	GitLab - Repository visibility to Public
Description	This query leverages GitLab Audit Logs. A repository in GitLab changed visibility from Private or Internal to Public which could indicate compromise, error or misconfiguration leading to exposing the repository to the public.
Severity	Medium
Tactics	Persistence DefenseEvasion CredentialAccess
Techniques	T1556
Required data connectors	Syslog
Kind	Scheduled
Query frequency	1h
Query period	1d
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GitLab/Analytic Rules/GitLab_RepoVisibilityChange.yaml
Version	1.0.0
Arm template	8b291c3d-90ba-4ebf-af2c-0283192d430e.json

KQL

GitLabAudit
| where SourceVisibility != "Public" and ChangeType == "visibility" and TargetVisibility == "Public"
| project TimeGenerated, EventTime, IPAddress, AuthorName, ChangeType, TargetType, SourceVisibility,  TargetVisibility, EntityName

YAML

queryPeriod: 1d
version: 1.0.0
relevantTechniques:
- T1556
queryFrequency: 1h
kind: Scheduled
name: GitLab - Repository visibility to Public
id: 8b291c3d-90ba-4ebf-af2c-0283192d430e
entityMappings:
- fieldMappings:
  - columnName: IPAddress
    identifier: Address
  entityType: IP
- fieldMappings:
  - columnName: AuthorName
    identifier: FullName
  entityType: Account
- fieldMappings:
  - columnName: EntityName
    identifier: Url
  entityType: URL
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GitLab/Analytic Rules/GitLab_RepoVisibilityChange.yaml
severity: Medium
query: |
  GitLabAudit
  | where SourceVisibility != "Public" and ChangeType == "visibility" and TargetVisibility == "Public"
  | project TimeGenerated, EventTime, IPAddress, AuthorName, ChangeType, TargetType, SourceVisibility,  TargetVisibility, EntityName  
tactics:
- Persistence
- DefenseEvasion
- CredentialAccess
description: |
    'This query leverages GitLab Audit Logs. A repository in GitLab changed visibility from Private or Internal to Public which could indicate compromise, error or misconfiguration leading to exposing the repository to the public.'
requiredDataConnectors:
- connectorId: Syslog
  dataTypes:
  - Syslog
status: Available
triggerThreshold: 0
triggerOperator: gt

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/8b291c3d-90ba-4ebf-af2c-0283192d430e')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/8b291c3d-90ba-4ebf-af2c-0283192d430e')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01",
      "properties": {
        "displayName": "GitLab - Repository visibility to Public",
        "description": "'This query leverages GitLab Audit Logs. A repository in GitLab changed visibility from Private or Internal to Public which could indicate compromise, error or misconfiguration leading to exposing the repository to the public.'\n",
        "severity": "Medium",
        "enabled": true,
        "query": "GitLabAudit\n| where SourceVisibility != \"Public\" and ChangeType == \"visibility\" and TargetVisibility == \"Public\"\n| project TimeGenerated, EventTime, IPAddress, AuthorName, ChangeType, TargetType, SourceVisibility,  TargetVisibility, EntityName\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "P1D",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Persistence",
          "DefenseEvasion",
          "CredentialAccess"
        ],
        "techniques": [
          "T1556"
        ],
        "alertRuleTemplateName": "8b291c3d-90ba-4ebf-af2c-0283192d430e",
        "customDetails": null,
        "entityMappings": [
          {
            "fieldMappings": [
              {
                "identifier": "Address",
                "columnName": "IPAddress"
              }
            ],
            "entityType": "IP"
          },
          {
            "fieldMappings": [
              {
                "identifier": "FullName",
                "columnName": "AuthorName"
              }
            ],
            "entityType": "Account"
          },
          {
            "fieldMappings": [
              {
                "identifier": "Url",
                "columnName": "EntityName"
              }
            ],
            "entityType": "URL"
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GitLab/Analytic Rules/GitLab_RepoVisibilityChange.yaml",
        "status": "Available",
        "templateVersion": "1.0.0"
      }
    }
  ]
}