GitLab personal access token generated
Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel,
n'hésitez pas à nous contacter.
Goal
Detects when a user creates a personal access token in GitLab. Personal access tokens provide programmatic access to perform actions on behalf of the user.
Strategy
This rule monitors GitLab audit events where @evt.name is personal_access_token_created. Personal access tokens grant API access to GitLab resources accessible by the connected user, making them valuable for attackers seeking to maintain persistent access to source code repositories and CI/CD pipelines.
Triage & Response
- Identify the
{{@usr.name}} associated with the activity. - Review the scope and permissions granted to the newly created token to ensure they align with the user’s role and responsibilities.
- Examine the IP address and user agent associated with the token creation to identify any suspicious access patterns.
- Check if the token creation coincides with other suspicious activities from the same user account or IP address.
- Validate that the user account creating the token has not been compromised by reviewing recent authentication and activity logs.
