Classification:

attack

Tactic:

TA0009-collection

Technique:

T1213-data-from-information-repositories

VIEW RULE IN DATADOG VIEW SIGNALS

Goal

Detects when the visibility level of a GitLab project is changed. Changes to public visibility may expose sensitive code and data to unauthorized users.

Strategy

This rule monitors the project_visibility_level_updated GitLab audit event. The detection tracks when users modify project visibility settings, which can include changes that make previously private or internal projects publicly accessible.

Triage & Response

• Verify if {{@usr.name}} had legitimate authorization to change the project visibility settings.
• Examine the specific project that was modified and determine if it contains sensitive code or data that should not be publicly accessible.
• Review the project’s previous visibility level to understand the scope of the exposure change.
• Check if the visibility change aligns with documented business requirements or approved change requests.
• Determine if any sensitive information, credentials, or proprietary code may have been inadvertently exposed through the visibility change.