GitLab user's multi-factor authentication disabled

This rule is part of a beta feature. To learn more, contact Support.
gitlab

Classification:

attack

Tactic:

TA0005-defense-evasion

Technique:

T1556-modify-authentication-process

Set up the gitlab integration.

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Goal

Detects when a user disables Multi-Factor Authentication (MFA) on their GitLab account.

Strategy

This rule monitors GitLab audit events user_disable_two_factor. When MFA is disabled, it reduces the account’s security posture and may indicate potential account compromise.

Triage & Response

  • Review recent authentication logs for the affected user account to identify any suspicious login patterns or locations.
  • Examine any recent password changes or account modifications that may indicate unauthorized access.
  • Verify if the user {{@details.target_details}} has a legitimate business reason to disable MFA on their GitLab account.