Multiple GitLab OTP attempts denied
Set up the gitlab integration.
Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel,
n'hésitez pas à nous contacter.
Goal
Detects multiple failed GitLab OTP authentication attempts that may indicate brute force attacks against user accounts. Alerts when users experience repeated OTP failures, account lockouts, or suspicious authentication patterns.
Strategy
This rule monitors GitLab audit events for failed OTP authentication attempts through login_failed_with_otp_authentication events, user account lockouts via user_access_locked, and successful authentication activities. The rule creates different severity levels based on the authentication pattern: high severity for multiple failures followed by successful login (indicating potential account compromise), medium severity for account lockouts (indicating sustained attack attempts), and low severity for repeated failures without success.
Triage & Response
- Examine the failed OTP attempts for
{{@usr.name}} to determine if the authentication failures align with legitimate user behavior or indicate malicious activity. - If the user did not make the observed authentication attempts:
- Rotate user credentials
- Confirm that no successful authentication attempts have been made.
- Investigate the source IP: {{@network.client.ip}} to determine if the IP address has taken other actions.
