Enhancing Security Monitoring: Integrating GitLab Cloud Edition with Microsoft Sentinel

Purpose of this Blog:

The absence of a dedicated connector for GitLab Cloud Edition in Microsoft Sentinel presents a challenge for complete security surveillance for firms using GitLab. To overcome this, we can utilize the API endpoints provided by GitLab to collect logs for integration into Sentinel. Establishing a custom table via Azure Monitor Data Collection Endpoint (DCE) along with Data Collection Rule (DCR), we can efficiently organize and study these logs. The use of Azure Logic Apps coupled with Azure Key Vault ensures that data handling is both secure and effective, and that sensitive credentials are well-protected. This blog will guide readers through the integration process, empowering organizations to maximize Microsoft Sentinel's capabilities. With a consolidated view of their security posture, companies can improve their threat detection and response actions promptly.

What is Covered in this Blog

1. GitLab Cloud Edition Free Trial Account:
   
   • Setting up a free trial account on GitLab Cloud Edition to get started.
     

[*]Generating Personal Access Token (PAT):

• Generate a Personal Access Token (PAT) for accessing GitLab logs API Endpoint.
  

[*]Leveraging Personal Access token in Postman to check the logs.

[*]Azure Monitor Data Collection Rule (DCR) and Data Collection Endpoint (DCE):

• Configuring Azure Monitor DCR and DCE to ingest user events into Microsoft Sentinel via a custom table.
  

[*]Creating an Azure Logic App:

• Developing an Azure Logic App to fetch logs from GitLab and send them to Microsoft Sentinel.
  

[*]Azure Key Vault Integration:

• Storing API endpoint credentials securely using Azure Key Vault.
  

1. GitLab Cloud Edition Free Trial Account:
   Setting up a free trial account on GitLab Cloud Edition to get started.
   Try GitLab for free | GitLab
    
    
   
2. Steps to Generate Personal Access Token once you have the Gitlab free trial:
    
    
   Log In to GitLab:
   Open your web browser and log in to your GitLab account.
    
   [ATTACH type=full" alt="VipulDabhi_3-1722613389817.png]62226[/ATTACH]
   
   Navigate to User Settings:
    
   

1. 
   Click on your profile picture or avatar in the top right corner of the GitLab interface.
    
   Select Edit profile from the dropdown menu.
    
   [ATTACH type=full" alt="VipulDabhi_5-1722613432153.png]62227[/ATTACH]
   Access Personal Access Tokens:
    
   

1. 
   In the left sidebar, click on Access Tokens.
    
   [ATTACH type=full" alt="VipulDabhi_6-1722613471673.png]62228[/ATTACH]
    
    
   

Add Access Token:

[ATTACH type=full" alt="VipulDabhi_7-1722613532817.png]62229[/ATTACH]

While adding the Personal Access token, provide the scope/permission and the Expiration Day:

[ATTACH type=full" alt="VipulDabhi_8-1722613532830.png]62230[/ATTACH]

Copy the Personal Access token as it generated:

[ATTACH type=full" alt="VipulDabhi_9-1722613532837.png]62231[/ATTACH]

3. Testing Personal Access token in Postman to check the logs access.

While using the trial version of GitLab Cloud, I utilized the event API endpoint to retrieve event logs by following these steps:

The GitLab free trial provides API access to different logs and events. Yet, access to specific logs like audit ones may be restricted based on your GitLab subscription. Below is a test case I executed to pull available events via the GitLab API: User Events.

You can retrieve events related to a specific user, such as activities performed by the user.

API Endpoint:

https://gitlab.com/api/v4/users/:id/events

How to get the ID:

[ATTACH type=full" alt="VipulDabhi_10-1722613719307.png]62232[/ATTACH]

Accessing Logs in Postman

To access these logs using Postman, follow these general steps:

Open Postman:

• Launch Postman and create a new request.
  

Set Request Method and URL:

• Set the HTTP method to GET.
  
• Enter the API endpoint URL corresponding to the logs you want to retrieve.
  

Add Authorization Header:

• Go to the Authorization tab.
  
• Select Bearer Token from the Type dropdown.
  
• Enter your PAT in the Token field.
  

Send the Request:

• Click the Send button.
  

Example: Retrieve user Events

Set Request Method and URL:

• HTTP method: GET
  
• URL: https://gitlab.com/api/v4/users/vdabhi123/events (replace :id & UserID as per your trial with your Gitlab project ID)
  

[ATTACH type=full" alt="VipulDabhi_11-1722613847399.png]62233[/ATTACH]

4. Data Collection Rule and Data Collection Endpoint to ingest the User events to Microsoft Sentinel in a Custom Table

Create a DCR based custom table in Log Analytics Workspace where sentinel is onboarded:

[ATTACH type=full" alt="VipulDabhi_12-1722613948307.png]62234[/ATTACH]

Create a Data collection Endpoint in advance prior creating the Data Collection Rule:

[ATTACH type=full" alt="VipulDabhi_13-1722613948310.png]62235[/ATTACH]

For creating a DCE navigate to monitor in global search:

[ATTACH type=full" alt="VipulDabhi_14-1722613948315.png]62236[/ATTACH]

Search Data collection Endpoint

[ATTACH type=full" alt="VipulDabhi_15-1722613981143.png]62237[/ATTACH]

[ATTACH type=full" alt="VipulDabhi_16-1722613981147.png]62238[/ATTACH]

[ATTACH type=full" alt="VipulDabhi_17-1722613981149.png]62239[/ATTACH]

[ATTACH type=full" alt="VipulDabhi_18-1722613981152.png]62240[/ATTACH]

[ATTACH type=full" alt="VipulDabhi_19-1722613981155.png]62241[/ATTACH]

Create Data collection rule after creating the Data Collection Endpoint:

[ATTACH type=full" alt="VipulDabhi_20-1722613981161.png]62242[/ATTACH]

You can fetch the schema either from gitlab official website or the json output which you got from the postman api request:

[ATTACH type=full" alt="VipulDabhi_21-1722613981162.png]62243[/ATTACH]

Copy the Json output from postman, and save the same in json format as guided below:

[ATTACH type=full" alt="VipulDabhi_22-1722613981175.png]62244[/ATTACH]

Upload the json file on the schema page of DCR:

[ATTACH type=full" alt="VipulDabhi_23-1722613981178.png]62245[/ATTACH]

If Timegenerated field error comes up, try changing the time field in json as:

[ATTACH type=full" alt="VipulDabhi_24-1722614062935.png]62246[/ATTACH]

[ATTACH type=full" alt="VipulDabhi_25-1722614062941.png]62247[/ATTACH]

Re-upload the json file :

[ATTACH type=full" alt="VipulDabhi_26-1722614062945.png]62248[/ATTACH]

Review & Create the Data Collection Rule:

[ATTACH type=full" alt="VipulDabhi_27-1722614062946.png]62249[/ATTACH]

Rectify if there is any error like here the error is usage of a reserved keyword id:

[ATTACH type=full" alt="VipulDabhi_28-1722614062951.png]62250[/ATTACH]

Hence replace the same in json and reupload the file and save the DCR

[ATTACH type=full" alt="VipulDabhi_29-1722614062955.png]62251[/ATTACH]

[ATTACH type=full" alt="VipulDabhi_30-1722614062959.png]62252[/ATTACH]

5. Creating Azure Logic app to fetch the logs from Gitlab to Microsoft Sentinel

Ensure you have the PAT and the required API endpoint URL in place prior creating the Logic app as a pre-requisite:

[ATTACH type=full" alt="VipulDabhi_31-1722614145813.png]62253[/ATTACH]

Start with a Blank logic app in Microsoft Sentinel as:

[ATTACH type=full" alt="VipulDabhi_32-1722614145816.png]62254[/ATTACH]

Create the Logic app with Consumption plan as with Resource group and other key requirements:

[ATTACH type=full" alt="VipulDabhi_33-1722614145821.png]62255[/ATTACH]

Deploy the logic app:

[ATTACH type=full" alt="VipulDabhi_34-1722614145823.png]62256[/ATTACH]

Open the logic app designer and add the steps for Recurrence, HTTP, Send to log analytics as:

Recurrence can be adjusted respectively:

[ATTACH type=full" alt="VipulDabhi_35-1722614145827.png]62257[/ATTACH]

HTTP Action:

[ATTACH type=full" alt="VipulDabhi_36-1722614145828.png]62258[/ATTACH]

Enter the URL, Method, Headers, as defined while accessing the content in postman:

[ATTACH type=full" alt="VipulDabhi_37-1722614145830.png]62259[/ATTACH]

Send log to log analytics Workspace and select or add the custom table which is created previously

[ATTACH type=full" alt="VipulDabhi_38-1722614145831.png]62260[/ATTACH]

[ATTACH type=full" alt="VipulDabhi_39-1722614145833.png]62261[/ATTACH]

6. How to grant Logic permission to Azure Key Vault to get Secret:

Why we need Azure key vault in Place:

Azure key vault will help us in storing the secret values like API Endpoint and the PAT token which is Security best practice.

Generate the Managed identity for Logic app:

[ATTACH type=full" alt="VipulDabhi_40-1722614207707.png]62262[/ATTACH]

[ATTACH type=full" alt="VipulDabhi_41-1722614207709.png]62263[/ATTACH]

[ATTACH type=full" alt="VipulDabhi_42-1722614207713.png]62264[/ATTACH]

Copy the object principal ID, Use this Object principal ID to assign Azure key vault Secret reader role to this id respectively as:

Navigate to Azure Key Vault and check access control:

[ATTACH type=full" alt="VipulDabhi_43-1722614207717.png]62265[/ATTACH]

Choose the Role:

[ATTACH type=full" alt="VipulDabhi_44-1722614207724.png]62266[/ATTACH]

[ATTACH type=full" alt="VipulDabhi_45-1722614207725.png]62267[/ATTACH]

Choose the logic app:

[ATTACH type=full" alt="VipulDabhi_46-1722614207728.png]62268[/ATTACH]

The logic app should reflect as member after the Selection as:

[ATTACH type=full" alt="VipulDabhi_47-1722614207729.png]62269[/ATTACH]

Review & Assign:

[ATTACH type=full" alt="VipulDabhi_48-1722614207731.png]62270[/ATTACH]

Note: Custom table “gitlabdcr_CL” will take some time to populate the logs from GitLab API endpoint source for querying at Sentinel.

Continue reading...