GitLab password reset from suspicious IP

This rule is part of a beta feature. To learn more, contact Support.
gitlab

Classification:

attack

Tactic:

TA0003-persistence

Technique:

T1098-account-manipulation

Set up the gitlab integration.

Goal

Detects when a GitLab user requests a password reset from an IP address flagged as suspicious or malicious.

Strategy

This rule monitors password_reset_requested audit events where the source IP address is flagged as suspicious or malicious. Password reset requests from known malicious IP addresses may indicate account takeover attempts, credential stuffing attacks, or reconnaissance activities by threat actors attempting to gain unauthorized access to GitLab accounts.

Triage & Response

  • Verify if the password reset request for {{@usr.name}} was initiated by the legitimate account owner through analysis of previous IP addresses and user agents. Verify with the user directly, if needed.
  • Review authentication logs for {{@usr.name}} to identify any successful login attempts from the same suspicious IP address.
  • Check for any recent suspicious activities or access patterns associated with the user account prior to the password reset request.
  • Determine if the password reset was completed and if any unauthorized access occurred to the GitLab account.