heroui logo

Dropbox User Disabled 2FA

Panther Rules

View Source
Summary
This detection rule monitors a change in the two-factor authentication (2FA) settings for Dropbox users. Specifically, it triggers an alert when a team member disables their 2FA, which may indicate a potential security risk or compromise of the account due to reduced login protection. The detection logic is based on logs produced by Dropbox's event system, specifically looking for events that indicate a change in the 2FA status of user accounts. The rule operates by matching logs labeled with the event type indicating 2FA status changes and checking the previous and new settings. If the 2FA is disabled, the rule will generate a notification. It includes thresholds to determine when enough events have been recorded to consider it significant. Given the nature of this change, it is classified as a low severity risk because, while disabling 2FA does lower account security, it may also be done for legitimate user reasons. This rule incorporates deduplication logic to prevent repeated alerts from the same issue within a defined timeframe
Categories
  • Cloud
  • Identity Management
  • Web
Data Sources
  • User Account
  • Application Log
Created: 2023-04-21