let isAdmin = true;
GitLabAudit
| where AuthenticationType == "standard" and ((isAdmin and TargetDetails contains "Administrator") or (isAdmin==false));
queryFrequency: 1h
entityMappings:
- entityType: IP
fieldMappings:
- columnName: IPAddress
identifier: Address
- entityType: Account
fieldMappings:
- columnName: AuthorUserName
identifier: FullName
severity: Medium
triggerThreshold: 0
relevantTechniques:
- T1110
query: |
let isAdmin = true;
GitLabAudit
| where AuthenticationType == "standard" and ((isAdmin and TargetDetails contains "Administrator") or (isAdmin==false));
id: e0b45487-5c79-482d-8ac0-695de8c031af
triggerOperator: gt
version: 1.0.0
requiredDataConnectors:
- connectorId: Syslog
dataTypes:
- Syslog
description: |
'This query checks GitLab Audit Logs to see if a user authenticated without MFA. Ot might mean that MFA was disabled for the GitLab server or that an external authentication provider was bypassed. This rule focuses on 'admin' privileges but the parameter can be adapted to also include all users.'
queryPeriod: 1d
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GitLab/Analytic Rules/GitLab_LocalAuthNoMFA.yaml
status: Available
name: GitLab - Local Auth - No MFA
tactics:
- CredentialAccess
kind: Scheduled
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/e0b45487-5c79-482d-8ac0-695de8c031af')]",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/e0b45487-5c79-482d-8ac0-695de8c031af')]",
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
"kind": "Scheduled",
"apiVersion": "2022-11-01",
"properties": {
"displayName": "GitLab - Local Auth - No MFA",
"description": "'This query checks GitLab Audit Logs to see if a user authenticated without MFA. Ot might mean that MFA was disabled for the GitLab server or that an external authentication provider was bypassed. This rule focuses on 'admin' privileges but the parameter can be adapted to also include all users.'\n",
"severity": "Medium",
"enabled": true,
"query": "let isAdmin = true;\nGitLabAudit\n| where AuthenticationType == \"standard\" and ((isAdmin and TargetDetails contains \"Administrator\") or (isAdmin==false));\n",
"queryFrequency": "PT1H",
"queryPeriod": "P1D",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"CredentialAccess"
],
"techniques": [
"T1110"
],
"alertRuleTemplateName": "e0b45487-5c79-482d-8ac0-695de8c031af",
"customDetails": null,
"entityMappings": [
{
"entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
"columnName": "IPAddress"
}
]
},
{
"entityType": "Account",
"fieldMappings": [
{
"identifier": "FullName",
"columnName": "AuthorUserName"
}
]
}
],
"status": "Available",
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GitLab/Analytic Rules/GitLab_LocalAuthNoMFA.yaml",
"templateVersion": "1.0.0"
}
}
]
}