Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
This queries GitLab Audit Logs for user impersonation. A malicious operator or a compromised admin account could leverage the impersonation feature of GitLab to change code or repository settings bypassing usual processes. This hunting queries allows you to track the audit actions done under impersonation.
| Attribute | Value |
|---|---|
| Type | Analytic Rule |
| Solution | GitLab |
| ID | 0f4f16a2-b464-4c10-9a42-993da3e15a40 |
| Severity | Medium |
| Status | Available |
| Kind | Scheduled |
| Tactics | Persistence |
| Techniques | T1078 |
| Required Connectors | SyslogAma |
| Source | View on GitHub |
This content item queries data from the following tables:
| Table | Selection Criteria | Transformations | Ingestion API | Lake-Only |
|---|---|---|---|---|
Syslog |
Facility == "local7"ProcessName == "GitLab-Audit-Logs" |
✓ | ✓ | ? |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊