GitLab Event Collector
This Integration is part of the GitLab Pack.#
Supported versions
Supported Cortex XSOAR versions: 6.8.0 and later.
An event collector for GitLab audit events using Gitlab's API.
Audit events API documentation
Prerequisites#
To retrieve audit events using the API, you must authenticate yourself as an Administrator.
You must use Personal access tokens:
Create a Personal Access Token#
- In the upper-right corner, select your avatar.
- Select Edit profile.
- On the left sidebar, select Personal access tokens.
- Select Add new token.
- In Token name, enter a name for the token.
- Optional. In Token description, enter a description for the token.
- In Expiration date, enter an expiration date for the token.
- The token expires on that date at midnight UTC. A token with the expiration date of 2024-01-01 expires at 00:00:00 UTC on 2024-01-01.
- If you do not enter an expiration date, the expiration date is automatically set to 365 days later than the current date.
- By default, this date can be a maximum of 365 days later than the current date. In GitLab 17.6 or later, you can extend this limit to 400 days.
- Select the desired scopes (see PAT scopes).
- Select Create personal access token.
Configure Gitlab Event Collector in Cortex#
| Parameter | Description | Required |
|---|---|---|
| Server URL | True | |
| API Key | The personal access token created above with Administrator authorization. | True |
| Fetch Instance Audit Events | When checked, the fetch mechanism will fetch events from the audit_events endpoint. That endpoint requires Administrator authorization. See Audit Events API documentation for more details. | |
| Groups IDs | False | |
| Projects IDS | False | |
| First fetch timestamp (<number> <time unit>, for example, 12 hours, 7 days, 3 months, 1 year) | True | |
| The maximum number of events per fetch for each event type | Each fetch will bring the `limit` number of events for each type (audits, groups and projects) and each group/project ID. For example, if `limit` is set to 500 and groups/projects IDs are given as well, then the fetch will bring 500 audit events and 500 group/project events for each group/project ID. | False |
| Trust any certificate (not secure) | False | |
| Use system proxy settings | False |
Commands#
You can execute the following command from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
gitlab-get-events#
Manual command to fetch events and display them.
Base Command#
gitlab-get-events
Input#
| Argument Name | Description | Required |
|---|---|---|
| should_push_events | Set this argument to True in order to create events, otherwise the command will only display them. Default is False. | True |
Context Output#
There is no context output for this command.