Classification:

attack

Tactic:

TA0005-defense-evasion

Technique:

T1556-modify-authentication-process

VIEW RULE IN DATADOG VIEW SIGNALS

Set up the gitlab integration.

Goal

Detects when a user disables Multi-Factor Authentication (MFA) on their GitLab account.

Strategy

This rule monitors GitLab audit events user_disable_two_factor. When MFA is disabled, it reduces the account’s security posture and may indicate potential account compromise.

Triage & Response

• Review recent authentication logs for the affected user account to identify any suspicious login patterns or locations.
• Examine any recent password changes or account modifications that may indicate unauthorized access.
• Verify if the user {{@details.target_details}} has a legitimate business reason to disable MFA on their GitLab account.