Step-by-Step Guide to Generate a PAT in GitLab

(Vipul Dabhi)

1. Log In to GitLab:
Open your web browser and log in to your GitLab account.

2. Navigate to User Settings:

Click on your profile picture or avatar in the top right corner of the GitLab interface.
Select Edit profile from the dropdown menu.

3. Access Personal Access Tokens:

In the left sidebar, click on Access Tokens.
4. Add Access Token:

5. While adding the Personal Access token, provide the scope/permission and the Expiration
Day:

6. Copy the Personal Access token as it generated:

Leveraging Personal Access token in Postman to check the logs

As I am having a trial license for Gitlab cloud edition I fetched the event logs leveraging event API
endpoint as below steps guide for the same:

With the free trial of GitLab, you have access to various logs and events through the API. However,
the availability of certain logs, especially audit logs, might be limited depending on your GitLab plan.
Here is example I tested to fetch the events you can access with the GitLab API:

User Events
You can retrieve events related to a specific user, such as activities performed by the user.
Endpoint:
https://gitlab.com/api/v4/users/:id/events

How to get the ID:

Accessing Logs in Postman

To access these logs using Postman, follow these general steps:
Open Postman:
 Launch Postman and create a new request.
Set Request Method and URL:
 Set the HTTP method to GET.
 Enter the API endpoint URL corresponding to the logs you want to retrieve.
Add Authorization Header:
 Go to the Authorization tab.
 Select Bearer Token from the Type dropdown.
 Enter your PAT in the Token field.
Send the Request:
 Click the Send button.
Example: Retrieve user Events
Set Request Method and URL:
 HTTP method: GET
 URL: https://gitlab.com/api/v4/users/vdabhi123/events (replace :id with your project ID)
 Data Collection Rule and Data Collection Endpoint to ingest the User events to Microsoft
Sentinel in a Custom Table
Create a DCR based custom table in Log Analytics Workspace where sentinel is onboarded:

Create a Data collection Endpoint in advance prior creating the Data Collection Rule:
For creating a DCE navigate to monitor in global search:

Search Data collection Endpoint

Create Data collection rule after creating the Data Collection Endpoint:

You can fetch the schema either from gitlab official website or the json output which you got
from the postman api request:

Copy the Json output from postman, and save the same in json format as guided below:
Upload the json file on the schema page od DCR:

If Timegenrated field error comes up, try changing the time field in json as:
Re-upload the json file :

Review & Create the Data Collection Rule:

Rectify if there is any error like here the error is usage of a reserved keyword id:
Hence replace the same in json and reupload the file and save the DCR

Creating Azure Logic app to fetch the logs from Gitlab to Microsoft Sentinel

Ensure you have the PAT and the required API endpoint URL in place prior creating the Logic
app as a pre-requisites:
Start with a Blank logic app in Microsoft Sentinel as:

Create the Logic app with Consumption plan as with Resource group and other key
requirements:
Deploy the logic app:

Open the logic app designer and add the steps for Recurrence, HTTP, Send to log analytics as:

Recurrence can be adjusted respectively:

HTTP Action:
Enter the URL, Method, Headers, as defined while accessing the content in postman:

Send log to log analytics Workspace and select or add the custom table which is created
previously