GitLab new administrator added

This rule is part of a beta feature. To learn more, contact Support.
gitlab

Classification:

attack

Tactic:

TA0004-privilege-escalation

Technique:

T1098-account-manipulation

Set up the gitlab integration.

Goal

Detects when a new administrator is added to a GitLab organization.

Strategy

This rule monitors the user_admin_status_updated and admin_role_assigned_to_user GitLab audit events. These events indicate when user accounts are granted administrative privileges within the GitLab organization. Administrator access provides extensive control over repositories, user management, security settings, and organizational configurations, making unauthorized privilege escalation a significant security concern.

Triage & Response

  • Verify if the administrator privilege assignment for {{@usr.name}} was authorized through proper change management processes.
  • Check for any suspicious activity from the newly elevated administrator account following the privilege grant.
  • Validate that the timing of the privilege escalation aligns with legitimate business requirements or personnel changes.