GitLab project visibility changed

This rule is part of a beta feature. To learn more, contact Support.
gitlab

Classification:

attack

Tactic:

TA0009-collection

Technique:

T1213-data-from-information-repositories

Set up the gitlab integration.

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Goal

Detects when the visibility level of a GitLab project is changed. Changes to public visibility may expose sensitive code and data to unauthorized users.

Strategy

This rule monitors the project_visibility_level_updated GitLab audit event. The detection tracks when users modify project visibility settings, which can include changes that make previously private or internal projects publicly accessible.

Triage & Response

  • Verify if {{@usr.name}} had legitimate authorization to change the project visibility settings.
  • Examine the specific project that was modified and determine if it contains sensitive code or data that should not be publicly accessible.
  • Review the project’s previous visibility level to understand the scope of the exposure change.
  • Check if the visibility change aligns with documented business requirements or approved change requests.
  • Determine if any sensitive information, credentials, or proprietary code may have been inadvertently exposed through the visibility change.