GitLab deploy token created
Set up the gitlab integration.
Goal
Detects creation of deploy tokens in GitLab repositories. Deploy tokens provide programmatic access to repositories and can be abused by attackers for persistent access to code and CI/CD systems.
Strategy
This rule monitors GitLab audit events where @evt.name is deploy_token_created. Deploy tokens are authentication credentials that allow automated systems or scripts to access GitLab repositories without user credentials. While legitimate for CI/CD pipelines and automated deployments, unauthorized deploy token creation can indicate an attacker establishing persistence after compromising a GitLab account. The rule includes enhanced detection for tokens created from IP addresses flagged by threat intelligence as suspicious or malicious.
Triage & Response
- Verify if
{{@usr.name}} has a legitimate business need to create a deploy token for the affected repository. - Review the deploy token permissions and scope to determine what level of access was granted.
- Check if the token creation originated from a known IP address or if it matches the user’s typical access patterns.
- Examine recent GitLab activity for
{{@usr.name}} to identify any other suspicious actions or account compromise indicators. - Validate that the deploy token is being used for authorized automated processes and not for unauthorized repository access.
