GitLab password reset from suspicious IP
Set up the gitlab integration.
Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel,
n'hésitez pas à nous contacter.
Goal
Detects when a GitLab user requests a password reset from an IP address flagged as suspicious or malicious.
Strategy
This rule monitors password_reset_requested audit events where the source IP address is flagged as suspicious or malicious. Password reset requests from known malicious IP addresses may indicate account takeover attempts, credential stuffing attacks, or reconnaissance activities by threat actors attempting to gain unauthorized access to GitLab accounts.
Triage & Response
- Verify if the password reset request for
{{@usr.name}} was initiated by the legitimate account owner through analysis of previous IP addresses and user agents. Verify with the user directly, if needed. - Review authentication logs for
{{@usr.name}} to identify any successful login attempts from the same suspicious IP address. - Check for any recent suspicious activities or access patterns associated with the user account prior to the password reset request.
- Determine if the password reset was completed and if any unauthorized access occurred to the GitLab account.
