This alert gets triggered when an artifact is created on a threshold of 5. Impact An adversary could use the artifact to exfiltrate sensitive data such as user credentials or confidential business data. Mitigation To mitigate implement strict network segmentation and use isolation mechanisms such as containers or virtual machines that can limit the potential impact of artifact-based attacks. It is also recommended to maintain backups of important data and to encrypt sensitive information to prevent it from being accessed in case of a security breach. MITRE Tactic: TA0003 MITRE Technique: T1098

This alert gets triggered when RSS memory limit is exceeded. Impact An adversary may attempt to intentionally exceed the RSS memory limit to cause a denial of service (DoS) attack, making the GitLab instance unavailable to legitimate users. Mitigation To mitigate these risks, it is important to regularly monitor the GitLab instance for any unusual activity, and implement appropriate security measures such as limiting resource usage, maintaining backups, and implementing access controls. MITRE Tactic: TA0040 MITRE Technique: T1496

This alert gets triggered when active record connection gets established. Impact With an active connection, the adversary may be able to modify or delete data within the database, leading to data loss, corruption, or disruption of business operations. Depending on the level of access granted by the established connection, the adversary may be able to access sensitive data such as user credentials, financial information, or confidential business data. Mitigation To mitigate these risks, it is important to implement strong access controls to limit the ability of adversaries to establish connections and grant access to sensitive data. Regularly monitoring the database for unusual activity, setting up alerts for unauthorized connections, and using encryption to protect data in transit can also help prevent attacks. Additionally, regularly updating the database software and ensuring that all security patches are applied promptly can help to address any known security vulnerabilities. MITRE Tactic: TA0003 MITRE Technique: T1037

This alert gets triggered when an artifact is deleted. Impact An adversary may delete artifacts in order to cover up their tracks after exfiltrating sensitive data or gaining unauthorized access to the GitLab instance. Mitigation To mitigate these risks, it is important to implement strong access controls, such as two-factor authentication and limiting permissions, to prevent unauthorized deletion of artifacts. Regularly monitoring artifacts for unusual activity and using automated security testing tools can also help to detect and prevent artifact-based attacks. MITRE Tactic: TA0005 MITRE Technique: T1578

This alert gets triggered when a switch database connection is created. Impact With a database switch connection, the adversary may be able to modify or delete data within the database, leading to data loss, corruption, or disruption of business operations. If the adversary can execute SQL queries or other code through the established connection, they may be able to perform injection attacks to further compromise the database or execute arbitrary code on the server. Mitigation To mitigate these risks, it is important to implement strong access controls to limit the ability of adversaries to establish database switch connections and grant access to sensitive data. Implementing network segmentation and using isolation mechanisms such as containers or virtual machines can limit the potential impact of database-based attacks. MITRE Tactic: TA0003 MITRE Technique: T1098

This alert gets triggered when a downstream pipeline is created. Impact The adversary may be able to execute arbitrary code on the system running the downstream pipeline, potentially leading to the compromise of the entire GitLab instance and its associated resources. Adversaries may add malicious code to the downstream pipeline's dependencies, which can lead to further compromise of the system or exfiltration of sensitive data. Mitigation To mitigate these risks, it is important to implement strong access controls, such as two-factor authentication and limiting permissions, to prevent unauthorized access to pipelines. Regularly monitoring pipelines for unusual activity, scanning dependencies for known vulnerabilities and using automated security testing tools can also help to detect and prevent pipeline-based attacks. MITRE Tactic: TA0003 MITRE Technique: T1098

This alert gets triggered when a pipeline is authorised. Impact The adversary may be able to execute arbitrary code on the system running the pipeline, potentially leading to the compromise of the entire GitLab instance and its associated resources. Mitigation To mitigate these risks, it is important to implement strong access controls, such as two-factor authentication and limiting permissions, to prevent unauthorized access to pipelines. Regularly monitoring pipelines for unusual activity and using automated security testing tools can also help to detect and prevent pipeline-based attacks. Additionally, implementing strict network segmentation and using isolation mechanisms such as containers or virtual machines can limit the potential impact of pipeline-based attacks. MITRE Tactic: TA0006 MITRE Technique: T1078

This rule detects if there are no logs in the last 24 hours for GitLab in the customer account. Note- This alert should configured with relevant app & subsystem. Impact Disabling logging is a tactic that adversaries might employ as part of various MITRE ATT&CK techniques to avoid detection, cover their tracks, or impede incident response investigations. Mitigation Address logging concerns to ensure comprehensive monitoring within the Coralogix SIEM system. MITRE Tactic: TA0005 MITRE Technique:T1562