GitLab project visibility changed

This rule is part of a beta feature. To learn more, contact Support.
gitlab

Classification:

attack

Tactic:

TA0009-collection

Technique:

T1213-data-from-information-repositories

Set up the gitlab integration.

Goal

Detects when the visibility level of a GitLab project is changed. Changes to public visibility may expose sensitive code and data to unauthorized users.

Strategy

This rule monitors the project_visibility_level_updated GitLab audit event. The detection tracks when users modify project visibility settings, which can include changes that make previously private or internal projects publicly accessible.

Triage & Response

  • Verify if {{@usr.name}} had legitimate authorization to change the project visibility settings.
  • Examine the specific project that was modified and determine if it contains sensitive code or data that should not be publicly accessible.
  • Review the project’s previous visibility level to understand the scope of the exposure change.
  • Check if the visibility change aligns with documented business requirements or approved change requests.
  • Determine if any sensitive information, credentials, or proprietary code may have been inadvertently exposed through the visibility change.