BlogSecuritySelf-service security alert handling with GitLab's UAM

Published on: March 18, 2025

4 min read

Self-service security alert handling with GitLab's UAM

The User Attestation Module automates security alerts by routing them directly to team members for verification, reducing manual SecOps work and enhancing audit trails.

Bala AllamBala Allam
Matt CoonsMatt Coons

security

tutorial

DevSecOps platform

product

open source

The GitLab Security Operations team prioritizes automation that enables security engineers to focus on high-impact work rather than routine tasks that can be automated. A key innovation in this automation strategy is creation of the User Attestation Module (UAM), which allows GitLab team members to directly respond to and verify security alerts flagged as potentially malicious. When the GUARD framework detects suspicious activity, it routes the alert to the relevant team member for review. The team member can then attest whether they recognize and authorize the activity. Their response is recorded for audit purposes, and, based on their input, the system either closes the alert or escalates it to the Security Incident Response Team (SIRT).

In this article, you'll learn about the UAM and how it can benefit your DevSecOps environment.

How the User Attestation Module works

The UAM streamlines security alert handling through a comprehensive workflow that includes:

  • Alert verification by team members
  • Collection and documentation of supporting evidence
  • Option to request additional support from GitLab SecOps
  • Secure storage of team member responses
  • Automated alert resolution or incident escalation
  • Team member feedback collection for continuous improvement

We created UAM to help us:

  1. Route low priority alerts (such as administrative activities) to the relevant team members who performed them.
  2. Reduce alert fatigue by first checking with the team member who completed the activity before routing to SIRT if necessary.
  3. Collect and store team member responses to maintain an audit trail and rich metrics.
  4. Create a response tier between SIRT needs to triage this alert and This is an informational signal that does not need to be reviewed directly.

UAM's design principles

The UAM is a Slack-first automation that reaches out to team members to validate activity directly in Slack, reducing effort and increasing participation. Today, 40% of all security alerts are delivered to team members through the UAM, saving SIRT valuable time to focus on higher importance alerts and incidents.

A robust escalation workflow in the UAM ensures that all alerts are validated by team members or escalated to SIRT. When a UAM alert reaches a team member, they have a period of time to respond attesting to the activity or stating they do not recognize the activity. If no response is recorded, the UAM alert is auto-escalated to SIRT for handling.

Comprehensive metrics collection is a core GUARD design principle, which extends to how we designed UAM. All user interactivity with triggered UAM alerts is logged in a metrics database, which enables comprehensive measurement to identify problematic alerts, opportunities for process improvement, and overall UAM health.

UAM enables a third alert tier, bridging the gap between alerts that always needed to be investigated, and lower importance informational signals that are grouped by entity for escalation and correlation.

  • Stable alerts (must be triaged and investigated by SIRT)
  • UAM alerts (routed to team members to attest to the activity)
  • Informational signal (low-importance events that are interesting and correlated by entity grouping)

UAM components

The UAM framework consists of multiple components:

  • GitLab: Fetches a user email address based on user_id via user’s API and stores user's responses - Slack: Searches each user by email using Slack API and posts a UAM notification to the end user as well as collects responses from users using Slack modals
  • Tines: Processes and orchestrates user responses and alerts
  • Devo: Receives alert payload and alert notifications
  • Metrics DB: Records metrics for triggered UAM alerts

The workflow integrates with following modules:

  • GitLab API for user identification
  • Slack API for user communication
  • Webhook configuration for alert reception
  • Audit trail storage in GitLab

UAM workflow

The diagram below illustrates the workflow of the UAM module:

UAM - flow chart

Following along with GUARD

We are still unveiling parts of GUARD and how it works, so follow along to learn how we automate our security detections from end to end.

Read more about the GUARD framework

We want to hear from you

Enjoyed reading this blog post or have questions or feedback? Share your thoughts by creating a new topic in the GitLab community forum.

50%+ of the Fortune 100 trust GitLab

Start shipping better software faster

See what your team can do with the intelligent

DevSecOps platform.

Get free trial Talk to sales