let isAdmin = true;
GitLabAudit
| where AuthenticationType == "standard" and ((isAdmin and TargetDetails contains "Administrator") or (isAdmin==false));
version: 1.0.1
id: e0b45487-5c79-482d-8ac0-695de8c031af
relevantTechniques:
- T1110
requiredDataConnectors:
- connectorId: SyslogAma
dataTypes:
- Syslog
triggerOperator: gt
entityMappings:
- fieldMappings:
- columnName: IPAddress
identifier: Address
entityType: IP
- fieldMappings:
- columnName: AuthorUserName
identifier: FullName
entityType: Account
name: GitLab - Local Auth - No MFA
queryFrequency: 1h
triggerThreshold: 0
description: |
'This query checks GitLab Audit Logs to see if a user authenticated without MFA. Ot might mean that MFA was disabled for the GitLab server or that an external authentication provider was bypassed. This rule focuses on 'admin' privileges but the parameter can be adapted to also include all users.'
status: Available
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GitLab/Analytic Rules/GitLab_LocalAuthNoMFA.yaml
queryPeriod: 1d
severity: Medium
kind: Scheduled
tactics:
- CredentialAccess
query: |
let isAdmin = true;
GitLabAudit
| where AuthenticationType == "standard" and ((isAdmin and TargetDetails contains "Administrator") or (isAdmin==false));
