Classification:

attack

Tactic:

TA0003-persistence

Technique:

T1098-account-manipulation

VIEW RULE IN DATADOG VIEW SIGNALS

Goal

Detects when a user creates a personal access token in GitLab. Personal access tokens provide programmatic access to perform actions on behalf of the user.

Strategy

This rule monitors GitLab audit events where @evt.name is personal_access_token_created. Personal access tokens grant API access to GitLab resources accessible by the connected user, making them valuable for attackers seeking to maintain persistent access to source code repositories and CI/CD pipelines.

Triage & Response

• Identify the {{@usr.name}} associated with the activity.
• Review the scope and permissions granted to the newly created token to ensure they align with the user’s role and responsibilities.
• Examine the IP address and user agent associated with the token creation to identify any suspicious access patterns.
• Check if the token creation coincides with other suspicious activities from the same user account or IP address.
• Validate that the user account creating the token has not been compromised by reviewing recent authentication and activity logs.