GitLab group access token created
Set up the gitlab integration.
Goal
Detects when a user creates a group access token in GitLab. Group access tokens provide programmatic access to perform actions for groups and manage the projects within the group.
Strategy
This rule monitors GitLab audit events where @evt.name is group_access_token_created. The detection includes threat intelligence correlation to identify token creation from known suspicious IP addresses. Group access tokens grant API access to GitLab groups and their associated projects, making them valuable for attackers seeking to maintain persistent access to source code repositories and CI/CD pipelines.
Triage & Response
- Verify if
{{@usr.name}} has legitimate business justification for creating a group access token and appropriate permissions to do so. - Review the scope and permissions granted to the newly created token to ensure they align with the user’s role and responsibilities.
- Examine the IP address and user agent associated with the token creation to identify any suspicious access patterns.
- Check if the token creation coincides with other suspicious activities from the same user account or IP address.
- Validate that the user account creating the token has not been compromised by reviewing recent authentication and activity logs.
