let isAdmin = true;
GitLabAudit
| where AuthenticationType == "standard" and ((isAdmin and TargetDetails contains "Administrator") or (isAdmin==false));
triggerOperator: gt
queryFrequency: 1h
requiredDataConnectors:
- connectorId: SyslogAma
dataTypes:
- Syslog
relevantTechniques:
- T1110
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPAddress
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: AuthorUserName
query: |
let isAdmin = true;
GitLabAudit
| where AuthenticationType == "standard" and ((isAdmin and TargetDetails contains "Administrator") or (isAdmin==false));
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GitLab/Analytic Rules/GitLab_LocalAuthNoMFA.yaml
queryPeriod: 1d
name: GitLab - Local Auth - No MFA
status: Available
kind: Scheduled
description: |
'This query checks GitLab Audit Logs to see if a user authenticated without MFA. Ot might mean that MFA was disabled for the GitLab server or that an external authentication provider was bypassed. This rule focuses on 'admin' privileges but the parameter can be adapted to also include all users.'
id: e0b45487-5c79-482d-8ac0-695de8c031af
version: 1.0.1
tactics:
- CredentialAccess
severity: Medium
