Multiple GitLab OTP attempts denied

This rule is part of a beta feature. To learn more, contact Support.
gitlab

Classification:

attack

Tactic:

TA0006-credential-access

Technique:

T1621-multi-factor-authentication-request-generation

Set up the gitlab integration.

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Goal

Detects multiple failed GitLab OTP authentication attempts that may indicate brute force attacks against user accounts. Alerts when users experience repeated OTP failures, account lockouts, or suspicious authentication patterns.

Strategy

This rule monitors GitLab audit events for failed OTP authentication attempts through login_failed_with_otp_authentication events, user account lockouts via user_access_locked, and successful authentication activities. The rule creates different severity levels based on the authentication pattern: high severity for multiple failures followed by successful login (indicating potential account compromise), medium severity for account lockouts (indicating sustained attack attempts), and low severity for repeated failures without success.

Triage & Response

  • Examine the failed OTP attempts for {{@usr.name}} to determine if the authentication failures align with legitimate user behavior or indicate malicious activity.
  • If the user did not make the observed authentication attempts:
    • Rotate user credentials
    • Confirm that no successful authentication attempts have been made.
    • Investigate the source IP: {{@network.client.ip}} to determine if the IP address has taken other actions.