GitLab new administrator added

This rule is part of a beta feature. To learn more, contact Support.
gitlab

Classification:

attack

Tactic:

TA0004-privilege-escalation

Technique:

T1098-account-manipulation

Set up the gitlab integration.

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Goal

Detects when a new administrator is added to a GitLab organization.

Strategy

This rule monitors the user_admin_status_updated and admin_role_assigned_to_user GitLab audit events. These events indicate when user accounts are granted administrative privileges within the GitLab organization. Administrator access provides extensive control over repositories, user management, security settings, and organizational configurations, making unauthorized privilege escalation a significant security concern.

Triage & Response

  • Verify if the administrator privilege assignment for {{@usr.name}} was authorized through proper change management processes.
  • Check for any suspicious activity from the newly elevated administrator account following the privilege grant.
  • Validate that the timing of the privilege escalation aligns with legitimate business requirements or personnel changes.