Intrusion Detection System statistics
Problem to solve
Intrusion detection will be added to clusters with #31901 and will help identify threats as they occur. However, it is difficult to view these records, as this requires connecting and viewing Pod logs directly. Additionally, any sort of collection and aggregation of data must be done, all outside of GitLab. This means it is possible that attacks could be missed.
Display to users information and reports about what the intrusion detection in the cluster is reporting
- Create a screen under
Security and Complianceto house information from the intrusion detection system.
- This should be the same screen as where WAF and Cluster Network Security stats are at.
- Display to users the raw number of events the intrusion detection system has detected.
- Display to users a list of every individual security event that has been reported from the intrusion detection system
- Create a
Findingobject from each individual security event
Permissions and Security
Viewing logs should require GitLab Ultimate license. Permissions should be the same as seeing the Security Dashboard.
Update documentation to describe what information is displayed and what it means.
What does success look like, and how can we measure that?
Number of users who view the page where these logs are recorded within 90 days of release. Target => 5000
- This will show that users are viewing the content and that it provides value. If no one is viewing it, it is an indicator it is either difficult to find or not valuable enough.