Multiple GitLab OTP attempts denied

This rule is part of a beta feature. To learn more, contact Support.
gitlab

Classification:

attack

Tactic:

TA0006-credential-access

Technique:

T1621-multi-factor-authentication-request-generation

Set up the gitlab integration.

Goal

Detects multiple failed GitLab OTP authentication attempts that may indicate brute force attacks against user accounts. Alerts when users experience repeated OTP failures, account lockouts, or suspicious authentication patterns.

Strategy

This rule monitors GitLab audit events for failed OTP authentication attempts through login_failed_with_otp_authentication events, user account lockouts via user_access_locked, and successful authentication activities. The rule creates different severity levels based on the authentication pattern: high severity for multiple failures followed by successful login (indicating potential account compromise), medium severity for account lockouts (indicating sustained attack attempts), and low severity for repeated failures without success.

Triage & Response

  • Examine the failed OTP attempts for {{@usr.name}} to determine if the authentication failures align with legitimate user behavior or indicate malicious activity.
  • If the user did not make the observed authentication attempts:
    • Rotate user credentials
    • Confirm that no successful authentication attempts have been made.
    • Investigate the source IP: {{@network.client.ip}} to determine if the IP address has taken other actions.