GitLab user's multi-factor authentication disabled

This rule is part of a beta feature. To learn more, contact Support.
gitlab

Classification:

attack

Tactic:

TA0005-defense-evasion

Technique:

T1556-modify-authentication-process

Set up the gitlab integration.

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください

Goal

Detects when a user disables Multi-Factor Authentication (MFA) on their GitLab account.

Strategy

This rule monitors GitLab audit events user_disable_two_factor. When MFA is disabled, it reduces the account’s security posture and may indicate potential account compromise.

Triage & Response

  • Review recent authentication logs for the affected user account to identify any suspicious login patterns or locations.
  • Examine any recent password changes or account modifications that may indicate unauthorized access.
  • Verify if the user {{@details.target_details}} has a legitimate business reason to disable MFA on their GitLab account.