GitLab password reset from suspicious IP

This rule is part of a beta feature. To learn more, contact Support.
gitlab

Classification:

attack

Tactic:

TA0003-persistence

Technique:

T1098-account-manipulation

Set up the gitlab integration.

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Goal

Detects when a GitLab user requests a password reset from an IP address flagged as suspicious or malicious.

Strategy

This rule monitors password_reset_requested audit events where the source IP address is flagged as suspicious or malicious. Password reset requests from known malicious IP addresses may indicate account takeover attempts, credential stuffing attacks, or reconnaissance activities by threat actors attempting to gain unauthorized access to GitLab accounts.

Triage & Response

  • Verify if the password reset request for {{@usr.name}} was initiated by the legitimate account owner through analysis of previous IP addresses and user agents. Verify with the user directly, if needed.
  • Review authentication logs for {{@usr.name}} to identify any successful login attempts from the same suspicious IP address.
  • Check for any recent suspicious activities or access patterns associated with the user account prior to the password reset request.
  • Determine if the password reset was completed and if any unauthorized access occurred to the GitLab account.