let isAdmin = true;
GitLabAudit
| where AuthenticationType == "standard" and ((isAdmin and TargetDetails contains "Administrator") or (isAdmin==false));
relevantTechniques:
- T1110
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GitLab/Analytic Rules/GitLab_LocalAuthNoMFA.yaml
query: |
let isAdmin = true;
GitLabAudit
| where AuthenticationType == "standard" and ((isAdmin and TargetDetails contains "Administrator") or (isAdmin==false));
description: |
'This query checks GitLab Audit Logs to see if a user authenticated without MFA. Ot might mean that MFA was disabled for the GitLab server or that an external authentication provider was bypassed. This rule focuses on 'admin' privileges but the parameter can be adapted to also include all users.'
requiredDataConnectors:
- connectorId: SyslogAma
dataTypes:
- Syslog
triggerOperator: gt
entityMappings:
- entityType: IP
fieldMappings:
- columnName: IPAddress
identifier: Address
- entityType: Account
fieldMappings:
- columnName: AuthorUserName
identifier: FullName
name: GitLab - Local Auth - No MFA
queryPeriod: 1d
triggerThreshold: 0
id: e0b45487-5c79-482d-8ac0-695de8c031af
status: Available
kind: Scheduled
severity: Medium
queryFrequency: 1h
tactics:
- CredentialAccess
version: 1.0.1
