Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

External Systems Configuration Guide

GitLab API

Integration Points

Protocol Information collected Used For
syslog 15 Log files including production.log and application.log – over 130 event types pre-fixed with 'GitLab-' Security and Compliance
API Code commit, Changes to Projects, Branches, Tag, DiscussionNoted, Tag, Issues, Snippets, Repositories, User created, deleted, modified.

Security and Compliance

 

Event Types

In RESOURCES > Event Types, enter "GitLab" in the main content panel Search... field to see the events associated with this device.

Rules

No defined rules.

Reports

In RESOURCES > Reports, enter "GitLab" in the main content panel Search... field to see the reports associated with this device.

Syslog Integration

Configure GitLab to send syslog to FortiSIEM via UDP on port 514. See here for details.

FortiSIEM will automatically detect GitHLab log patterns and parse the logs. Currently, the following log files are parsed: api_json.log, application.log, gitaly, gitlab-monitor, gitlab-shell.log, gitlab-workhorse.log, gitlab_access.log,production.log, production_json.log, Prometheus, Redis, remote-syslog, sidekiq, sidekiq_exporter.log, unicorn_stderr.log.

Currently, over 134 GitLab event types are parsed. To see the event types:

  1. Login to FortiSIEM.
  2. Go to RESOURCES > Event Types.
  3. Search for "GitLab".

Use cases covered via syslog:

  • Failed and Successful Login
  • Git command execution
  • Git API requests

To test for received GitLab events received via syslog:

  1. Login to FortiSIEM.
  2. Go to ANALYTICS.
  3. Click the Edit Filters and Time Range... field:
    1. Choose the Event Attribute option.
    2. Create the Search condition
      Attribute: Event Type
      Operator: CONTAIN
      Value: GitLab
    3. Change Time Range to be Last 1 Hour
    4. Click Apply & Run.
  4. See the GitLab events on the GUI.

API Integration

FortiSIEM can also pull logs from GitLab using GitLab API.

Currently, over 134 GitLab event types are parsed. To see the event types:

  1. Login to FortiSIEM.
  2. Go to RESOURCES > Event Types.
  3. Search for "GitLab".

Use cases covered via API:

  • Code commit – note that the current API does not capture committed files.
  • Changes to Projects, Branches, Tag, DiscussionNoted, Tag, Issues, Snippets, Repositories etc
  • User created, deleted, modified

For more details, see here.

Configuring GitLab Server

Create a personal access token to be used for FortiSIEM communication.

  1. Login to your GitLab account.
  2. Go to your Profile settings.
  3. Go to Access tokens.
  4. Choose a name and optionally an expiry date for the token.
  5. Choose the desired scopes: api is required.
  6. Click Create Personal Access Token. Save the personal access token in your local system. Note that once you leave or refresh the page, you won't be able to access it again.

For more details, see here.

Configuring FortiSIEM for GitLab API

Use the Personal Access Token in Configuring GitLab Server to enable FortiSIEM access.

  1. Login to FortiSIEM.
  2. Go to ADMIN > Setup > Credentials.
  3. In Step 1: Enter Credentials, click New to create a GitLab credential.
  4. Enter these settings in the Access Method Definition dialog box:

    Settings

    Description

    Name Enter a name for the credential
    Device Type GitLab GitLab (Vendor = GitLab, Model = Gitlab)
    Access Protocol GitLab API
    Pull Interval The interval in which FortiSIEM will pull events from GitLab. Default is 5 minutes.
    Password Config Manual
    Account Name Enter an account name.
    Personal Access Token Enter the token you obtained in Configuring GitLab Server.
    Description Description of the device
  5. In Step 2: Enter IP Range to Credential Associations, click New.
    1. In IP/Host Name, enter the IP of GitLab Server.
    2. Select the Credential created in step 4 above.
    3. Click Save.
  6. Select the entry in step 3 above, click the Test drop-down list and select Test Connectivity. Once successful, an entry will be created in ADMIN > Setup > Pull Events. FortiSIEM will start to pull events from GitLab using the API.

To test for received GitLab events:

  1. Go to ADMIN > Setup > Pull Events.
  2. Select the GitLab entry and click Report.

The system will take you to the ANALYTICS tab and run a query to display the events received from GitLab in the last 15 minutes. You can modify the time interval to get more events.

Sample Event

[GITLAB_EVENT_DATA] = {"action_name":"pushed to","author":{"avatar_url":"https://abc.cda.com/avatar/62e30f8b2d3cbc60ed22c217c5fa4e57?s=80&d=identicon","id":185,"name":"user1","state":"active","username":" user1","web_url":"https://dac.com/gitmirror"},"author_id":185,"author_username":" user1","created_at":"2018-11-13T22:30:30.340Z","project_id":553,"push_data":{"action":"pushed","commit_count":2,"commit_from":"da5a4fd97fd1f6b7c5a8611c12592eb5e9ff9e2b","commit_title":"Merge \"Fix bizservice popup display issue and switching org in bizs...","commit_to":"30d863ece3957aacc95ec45c7663c426c73f38f2","ref":"releases/FCS5_2_1","ref_type":"branch"},"serverIp":"172.30.35.11","serverName":"abc.com","target_id":null,"target_iid":null,"target_title":null,"target_type":null}

GitLab API

Integration Points

Protocol Information collected Used For
syslog 15 Log files including production.log and application.log – over 130 event types pre-fixed with 'GitLab-' Security and Compliance
API Code commit, Changes to Projects, Branches, Tag, DiscussionNoted, Tag, Issues, Snippets, Repositories, User created, deleted, modified.

Security and Compliance

 

Event Types

In RESOURCES > Event Types, enter "GitLab" in the main content panel Search... field to see the events associated with this device.

Rules

No defined rules.

Reports

In RESOURCES > Reports, enter "GitLab" in the main content panel Search... field to see the reports associated with this device.

Syslog Integration

Configure GitLab to send syslog to FortiSIEM via UDP on port 514. See here for details.

FortiSIEM will automatically detect GitHLab log patterns and parse the logs. Currently, the following log files are parsed: api_json.log, application.log, gitaly, gitlab-monitor, gitlab-shell.log, gitlab-workhorse.log, gitlab_access.log,production.log, production_json.log, Prometheus, Redis, remote-syslog, sidekiq, sidekiq_exporter.log, unicorn_stderr.log.

Currently, over 134 GitLab event types are parsed. To see the event types:

  1. Login to FortiSIEM.
  2. Go to RESOURCES > Event Types.
  3. Search for "GitLab".

Use cases covered via syslog:

  • Failed and Successful Login
  • Git command execution
  • Git API requests

To test for received GitLab events received via syslog:

  1. Login to FortiSIEM.
  2. Go to ANALYTICS.
  3. Click the Edit Filters and Time Range... field:
    1. Choose the Event Attribute option.
    2. Create the Search condition
      Attribute: Event Type
      Operator: CONTAIN
      Value: GitLab
    3. Change Time Range to be Last 1 Hour
    4. Click Apply & Run.
  4. See the GitLab events on the GUI.

API Integration

FortiSIEM can also pull logs from GitLab using GitLab API.

Currently, over 134 GitLab event types are parsed. To see the event types:

  1. Login to FortiSIEM.
  2. Go to RESOURCES > Event Types.
  3. Search for "GitLab".

Use cases covered via API:

  • Code commit – note that the current API does not capture committed files.
  • Changes to Projects, Branches, Tag, DiscussionNoted, Tag, Issues, Snippets, Repositories etc
  • User created, deleted, modified

For more details, see here.

Configuring GitLab Server

Create a personal access token to be used for FortiSIEM communication.

  1. Login to your GitLab account.
  2. Go to your Profile settings.
  3. Go to Access tokens.
  4. Choose a name and optionally an expiry date for the token.
  5. Choose the desired scopes: api is required.
  6. Click Create Personal Access Token. Save the personal access token in your local system. Note that once you leave or refresh the page, you won't be able to access it again.

For more details, see here.

Configuring FortiSIEM for GitLab API

Use the Personal Access Token in Configuring GitLab Server to enable FortiSIEM access.

  1. Login to FortiSIEM.
  2. Go to ADMIN > Setup > Credentials.
  3. In Step 1: Enter Credentials, click New to create a GitLab credential.
  4. Enter these settings in the Access Method Definition dialog box:

    Settings

    Description

    Name Enter a name for the credential
    Device Type GitLab GitLab (Vendor = GitLab, Model = Gitlab)
    Access Protocol GitLab API
    Pull Interval The interval in which FortiSIEM will pull events from GitLab. Default is 5 minutes.
    Password Config Manual
    Account Name Enter an account name.
    Personal Access Token Enter the token you obtained in Configuring GitLab Server.
    Description Description of the device
  5. In Step 2: Enter IP Range to Credential Associations, click New.
    1. In IP/Host Name, enter the IP of GitLab Server.
    2. Select the Credential created in step 4 above.
    3. Click Save.
  6. Select the entry in step 3 above, click the Test drop-down list and select Test Connectivity. Once successful, an entry will be created in ADMIN > Setup > Pull Events. FortiSIEM will start to pull events from GitLab using the API.

To test for received GitLab events:

  1. Go to ADMIN > Setup > Pull Events.
  2. Select the GitLab entry and click Report.

The system will take you to the ANALYTICS tab and run a query to display the events received from GitLab in the last 15 minutes. You can modify the time interval to get more events.

Sample Event

[GITLAB_EVENT_DATA] = {"action_name":"pushed to","author":{"avatar_url":"https://abc.cda.com/avatar/62e30f8b2d3cbc60ed22c217c5fa4e57?s=80&d=identicon","id":185,"name":"user1","state":"active","username":" user1","web_url":"https://dac.com/gitmirror"},"author_id":185,"author_username":" user1","created_at":"2018-11-13T22:30:30.340Z","project_id":553,"push_data":{"action":"pushed","commit_count":2,"commit_from":"da5a4fd97fd1f6b7c5a8611c12592eb5e9ff9e2b","commit_title":"Merge \"Fix bizservice popup display issue and switching org in bizs...","commit_to":"30d863ece3957aacc95ec45c7663c426c73f38f2","ref":"releases/FCS5_2_1","ref_type":"branch"},"serverIp":"172.30.35.11","serverName":"abc.com","target_id":null,"target_iid":null,"target_title":null,"target_type":null}