GitLab - Local Auth - No MFA

let isAdmin = true;
GitLabAudit
| where AuthenticationType == "standard" and ((isAdmin and TargetDetails contains "Administrator") or (isAdmin==false));

kind: Scheduled
entityMappings:
- entityType: IP
  fieldMappings:
  - columnName: IPAddress
    identifier: Address
- entityType: Account
  fieldMappings:
  - columnName: AuthorUserName
    identifier: FullName
description: |
    'This query checks GitLab Audit Logs to see if a user authenticated without MFA. Ot might mean that MFA was disabled for the GitLab server or that an external authentication provider was bypassed. This rule focuses on 'admin' privileges but the parameter can be adapted to also include all users.'
severity: Medium
queryFrequency: 1h
triggerThreshold: 0
relevantTechniques:
- T1110
status: Available
tactics:
- CredentialAccess
name: GitLab - Local Auth - No MFA
id: e0b45487-5c79-482d-8ac0-695de8c031af
query: |
  let isAdmin = true;
  GitLabAudit
  | where AuthenticationType == "standard" and ((isAdmin and TargetDetails contains "Administrator") or (isAdmin==false));  
requiredDataConnectors:
- dataTypes:
  - Syslog
  connectorId: SyslogAma
version: 1.0.1
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GitLab/Analytic Rules/GitLab_LocalAuthNoMFA.yaml
queryPeriod: 1d

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/e0b45487-5c79-482d-8ac0-695de8c031af')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/e0b45487-5c79-482d-8ac0-695de8c031af')]",
      "properties": {
        "alertRuleTemplateName": "e0b45487-5c79-482d-8ac0-695de8c031af",
        "customDetails": null,
        "description": "'This query checks GitLab Audit Logs to see if a user authenticated without MFA. Ot might mean that MFA was disabled for the GitLab server or that an external authentication provider was bypassed. This rule focuses on 'admin' privileges but the parameter can be adapted to also include all users.'\n",
        "displayName": "GitLab - Local Auth - No MFA",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "IPAddress",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AuthorUserName",
                "identifier": "FullName"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GitLab/Analytic Rules/GitLab_LocalAuthNoMFA.yaml",
        "query": "let isAdmin = true;\nGitLabAudit\n| where AuthenticationType == \"standard\" and ((isAdmin and TargetDetails contains \"Administrator\") or (isAdmin==false));\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "P1D",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CredentialAccess"
        ],
        "techniques": [
          "T1110"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}