Classification:

attack

Tactic:

TA0003-persistence

Technique:

T1098-account-manipulation

VIEW RULE IN DATADOG VIEW SIGNALS

Set up the gitlab integration.

Goal

Detects when a user creates a group access token in GitLab. Group access tokens provide programmatic access to perform actions for groups and manage the projects within the group.

Strategy

This rule monitors GitLab audit events where @evt.name is group_access_token_created. The detection includes threat intelligence correlation to identify token creation from known suspicious IP addresses. Group access tokens grant API access to GitLab groups and their associated projects, making them valuable for attackers seeking to maintain persistent access to source code repositories and CI/CD pipelines.

Triage & Response

• Verify if {{@usr.name}} has legitimate business justification for creating a group access token and appropriate permissions to do so.
• Review the scope and permissions granted to the newly created token to ensure they align with the user’s role and responsibilities.
• Examine the IP address and user agent associated with the token creation to identify any suspicious access patterns.
• Check if the token creation coincides with other suspicious activities from the same user account or IP address.
• Validate that the user account creating the token has not been compromised by reviewing recent authentication and activity logs.