Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
This query checks GitLab Audit Logs to see if a user authenticated without MFA. Ot might mean that MFA was disabled for the GitLab server or that an external authentication provider was bypassed. This rule focuses on 'admin' privileges but the parameter can be adapted to also include all users.
| Attribute | Value |
|---|---|
| Type | Analytic Rule |
| Solution | GitLab |
| ID | e0b45487-5c79-482d-8ac0-695de8c031af |
| Severity | Medium |
| Status | Available |
| Kind | Scheduled |
| Tactics | CredentialAccess |
| Techniques | T1110 |
| Required Connectors | SyslogAma |
| Source | View on GitHub |
This content item queries data from the following tables:
| Table | Selection Criteria | Transformations | Ingestion API | Lake-Only |
|---|---|---|---|---|
Syslog |
Facility == "local7"ProcessName == "GitLab-Audit-Logs" |
✓ | ✓ | ? |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊