GitLab deploy token created

This rule is part of a beta feature. To learn more, contact Support.
gitlab

Classification:

attack

Tactic:

TA0003-persistence

Technique:

T1098-account-manipulation

Set up the gitlab integration.

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Goal

Detects creation of deploy tokens in GitLab repositories. Deploy tokens provide programmatic access to repositories and can be abused by attackers for persistent access to code and CI/CD systems.

Strategy

This rule monitors GitLab audit events where @evt.name is deploy_token_created. Deploy tokens are authentication credentials that allow automated systems or scripts to access GitLab repositories without user credentials. While legitimate for CI/CD pipelines and automated deployments, unauthorized deploy token creation can indicate an attacker establishing persistence after compromising a GitLab account. The rule includes enhanced detection for tokens created from IP addresses flagged by threat intelligence as suspicious or malicious.

Triage & Response

  • Verify if {{@usr.name}} has a legitimate business need to create a deploy token for the affected repository.
  • Review the deploy token permissions and scope to determine what level of access was granted.
  • Check if the token creation originated from a known IP address or if it matches the user’s typical access patterns.
  • Examine recent GitLab activity for {{@usr.name}} to identify any other suspicious actions or account compromise indicators.
  • Validate that the deploy token is being used for authorized automated processes and not for unauthorized repository access.