GitLab new administrator added
Set up the gitlab integration.
Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel,
n'hésitez pas à nous contacter.
Goal
Detects when a new administrator is added to a GitLab organization.
Strategy
This rule monitors the user_admin_status_updated and admin_role_assigned_to_user GitLab audit events. These events indicate when user accounts are granted administrative privileges within the GitLab organization. Administrator access provides extensive control over repositories, user management, security settings, and organizational configurations, making unauthorized privilege escalation a significant security concern.
Triage & Response
- Verify if the administrator privilege assignment for
{{@usr.name}} was authorized through proper change management processes. - Check for any suspicious activity from the newly elevated administrator account following the privilege grant.
- Validate that the timing of the privilege escalation aligns with legitimate business requirements or personnel changes.
