Blog Post

Microsoft Sentinel Blog
4 MIN READ

Enhancing Security Monitoring: Integrating GitLab Cloud Edition with Microsoft Sentinel

VipulDabhi's avatar
VipulDabhi
Icon for Microsoft rankMicrosoft
Aug 05, 2024

Purpose of this Blog:

The absence of a dedicated connector for GitLab Cloud Edition in Microsoft Sentinel presents a challenge for complete security surveillance for firms using GitLab. To overcome this, we can utilize the API endpoints provided by GitLab to collect logs for integration into Sentinel. Establishing a custom table via Azure Monitor Data Collection Endpoint (DCE) along with Data Collection Rule (DCR), we can efficiently organize and study these logs. The use of Azure Logic Apps coupled with Azure Key Vault ensures that data handling is both secure and effective, and that sensitive credentials are well-protected. This blog will guide readers through the integration process, empowering organizations to maximize Microsoft Sentinel's capabilities. With a consolidated view of their security posture, companies can improve their threat detection and response actions promptly.

What is Covered in this Blog

  1. GitLab Cloud Edition Free Trial Account:
    • Setting up a free trial account on GitLab Cloud Edition to get started.
  2. Generating Personal Access Token (PAT):
    • Generate a Personal Access Token (PAT) for accessing GitLab logs API Endpoint.
  3. Leveraging Personal Access token in Postman to check the logs.
  4. Azure Monitor Data Collection Rule (DCR) and Data Collection Endpoint (DCE):
    • Configuring Azure Monitor DCR and DCE to ingest user events into Microsoft Sentinel via a custom table.
  5. Creating an Azure Logic App:
    • Developing an Azure Logic App to fetch logs from GitLab and send them to Microsoft Sentinel.
  6. Azure Key Vault Integration:
    • Storing API endpoint credentials securely using Azure Key Vault.
  1. GitLab Cloud Edition Free Trial Account:
    Setting up a free trial account on GitLab Cloud Edition to get started.
    Try GitLab for free | GitLab

  2. Steps to Generate Personal Access Token once you have the Gitlab free trial:


    Log In to GitLab
    :
    Open your web browser and log in to your GitLab account.


    Navigate to User Settings
    :

  1. Click on your profile picture or avatar in the top right corner of the GitLab interface.

    Select Edit profile from the dropdown menu.

     Access Personal Access Tokens:

  1. In the left sidebar, click on Access Tokens.

     

        Add Access Token:
        

 

   While adding the Personal Access token, provide the scope/permission and the Expiration Day:

       

       Copy the Personal Access token as it generated:

     

 

3. Testing Personal Access token in Postman to check the logs access.

While using the trial version of GitLab Cloud, I utilized the event API endpoint to retrieve event logs by following these steps:

The GitLab free trial provides API access to different logs and events. Yet, access to specific logs like audit ones may be restricted based on your GitLab subscription. Below is a test case I executed to pull available events via the GitLab API: User Events.

You can retrieve events related to a specific user, such as activities performed by the user.

API Endpoint:

https://gitlab.com/api/v4/users/:id/events

How to get the ID:

Accessing Logs in Postman

To access these logs using Postman, follow these general steps:

Open Postman:

  • Launch Postman and create a new request.

Set Request Method and URL:

  • Set the HTTP method to GET.
  • Enter the API endpoint URL corresponding to the logs you want to retrieve.

Add Authorization Header:

  • Go to the Authorization tab.
  • Select Bearer Token from the Type dropdown.
  • Enter your PAT in the Token field.

Send the Request:

  • Click the Send button.

Example: Retrieve user Events

Set Request Method and URL:

 

 

4. Data Collection Rule and Data Collection Endpoint to ingest the User events to Microsoft Sentinel in a Custom Table


Create a DCR based custom table in Log Analytics Workspace where sentinel is onboarded:

 

 Create a Data collection Endpoint in advance prior creating the Data Collection Rule:

 


For creating a DCE navigate to monitor in global search:

 

Search Data collection Endpoint

 

 

 

 

 

 

 

 

 

Create Data collection rule after creating the Data Collection Endpoint:

 

 

You can fetch the schema either from gitlab official website or the json output which you got from the postman api request:

 

Copy the Json output from postman, and save the same in json format as guided below:

 

Upload the json file on the schema page of DCR:

 

If Timegenerated field error comes up, try changing the time field in json as:

 

 

 Re-upload the json file :
 

 

Review & Create the Data Collection Rule:

 

 

Rectify if there is any error like here the error is usage of a reserved keyword id:

 

Hence replace the same in json and reupload the file and save the DCR

 



 

5. Creating Azure Logic app to fetch the logs from Gitlab to Microsoft Sentinel
Ensure you have the PAT and the required API endpoint URL in place prior creating the Logic app as a pre-requisite:

 

 

Start with a Blank logic app in Microsoft Sentinel as:

 

Create the Logic app with Consumption plan as with Resource group and other key requirements:

 

Deploy the logic app:

 

Open the logic app designer and add the steps for Recurrence, HTTP, Send to log analytics as:

Recurrence can be adjusted respectively:

 

HTTP Action:

 

Enter the URL, Method, Headers, as defined while accessing the content in postman:

 

Send log to log analytics Workspace and select or add the custom table which is created previously

 

 

6. How to grant Logic permission to Azure Key Vault to get Secret:

Why we need Azure key vault in Place:
Azure key vault will help us in storing the secret values like API Endpoint and the PAT token which is Security best practice.

Generate the Managed identity for Logic app:

 

 

 

 

Copy the object principal ID, Use this Object principal ID to assign Azure key vault Secret reader role to this id respectively as:

Navigate to Azure Key Vault and check access control:

 

Choose the Role:

 

 

 

Choose the logic app:

 

The logic app should reflect as member after the Selection as:

 

Review & Assign:

 

Note: Custom table “gitlabdcr_CL” will take some time to populate the logs from GitLab API endpoint source for querying at Sentinel.

Updated Aug 02, 2024
Version 1.0
  • arwadhahri ,

    While Generating PAT, you can provide the scope/permission and the Expiration Day,

    This selection totally depends on what you want to ingest or invoke from Gitlab Cloud to sentinel,

    Precisely check the options and choose, you can decide what Gitlab actually holds and what you want to export for the use case in Sentinel.

     

    Thanks,

  • arwadhahri's avatar
    arwadhahri
    Copper Contributor

    hi, 

    In GitLab configuration, which role and scopes should be selected.