GitLab user changes associated email

This rule is part of a beta feature. To learn more, contact Support.
gitlab

Classification:

attack

Tactic:

TA0003-persistence

Technique:

T1098-account-manipulation

Set up the gitlab integration.

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Goal

Detects when a GitLab user changes their associated email address and then signs in using the new email.

Strategy

This rule monitors the user_email_changed_and_user_signed_in GitLab audit event. Email address changes can be used by attackers to maintain persistence after compromising an account.

Triage and response

  • Verify if {{@usr.name}} has a legitimate business reason to change their email address in GitLab.
  • Review authentication logs around the time of the email change to identify any unusual access patterns or geographic anomalies.
  • Examine recent GitLab activity for the user account to determine if any unauthorized actions were performed after the email change.
  • Validate that the new email address belongs to the organization’s domain or is otherwise authorized for use.