heroui logo

OneLogin Authentication Factor Removed

Panther Rules

View Source
Summary
The OneLogin Authentication Factor Removed rule is designed to monitor and detect events where a user removes an authentication factor, such as a one-time password (OTP) device, within the OneLogin platform. This situation may indicate a potential security risk or misuse of account privileges, especially if executed without due diligence or policy adherence. The rule analyzes event logs related to authentication actions, focusing on specific event types known to correspond to the removal of authentication factors. The inclusion of critical attributes like account IDs, user names, and descriptions of the authentication factor aids in correlating incidents with user activities, thus providing insight into the context and potential intent behind the action. Due to its nature, the rule has been classified with a low severity, suggesting that while the event is noteworthy, it may not always indicate malicious activity and requires further investigation to ascertain intent. This rule belongs to the category of identity and access management and is linked to defense evasion techniques as specified in the MITRE ATT&CK framework. The output includes clear guidance for incident response, advising investigators to confirm if the removal was intentional and to check for the presence of alternative multifactor authentication devices.
Categories
  • Identity Management
  • Cloud
  • Web
Data Sources
  • User Account
  • Application Log
  • Cloud Service
ATT&CK Techniques
  • T1556
Created: 2022-09-02