---
title: GitLab deploy token created
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: Docs > Datadog Security > OOTB Rules > GitLab deploy token created
---

# GitLab deploy token created

{% alert level="danger" %}
This rule is part of a beta feature. To learn more, [contact Support](https://docs.datadoghq.com/help/).
{% /alert %}
Classification:attackTactic:[TA0003-persistence](https://attack.mitre.org/tactics/TA0003)Technique:[T1098-account-manipulation](https://attack.mitre.org/techniques/T1098) 
## Goal{% #goal %}

Detects creation of deploy tokens in GitLab repositories. Deploy tokens provide programmatic access to repositories and can be abused by attackers for persistent access to code and CI/CD systems.

## Strategy{% #strategy %}

This rule monitors GitLab audit events where `@evt.name` is `deploy_token_created`. Deploy tokens are authentication credentials that allow automated systems or scripts to access GitLab repositories without user credentials. While legitimate for CI/CD pipelines and automated deployments, unauthorized deploy token creation can indicate an attacker establishing persistence after compromising a GitLab account. The rule includes enhanced detection for tokens created from IP addresses flagged by threat intelligence as suspicious or malicious.

## Triage & Response{% #triage--response %}

- Verify if `{{@usr.name}}` has a legitimate business need to create a deploy token for the affected repository.
- Review the deploy token permissions and scope to determine what level of access was granted.
- Check if the token creation originated from a known IP address or if it matches the user's typical access patterns.
- Examine recent GitLab activity for `{{@usr.name}}` to identify any other suspicious actions or account compromise indicators.
- Validate that the deploy token is being used for authorized automated processes and not for unauthorized repository access.