Detection: MFA Recovery Codes Regenerated

Overview

Detect when MFA recovery codes are regenerated for a GitHub account. While this may be part of legitimate account maintenance, it can also indicate that an attacker is attempting to ensure persistent access by generating new recovery codes. Monitoring these events helps identify potential account compromises and ensure that backup authentication methods are not abused.

References:

Secure your account with 2FA

Usage

Run the detection in your terminal:

powerpipe detection run github_security_log_detections.detection.mfa_recovery_code_regenerated

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe detection run github_security_log_detections.detection.mfa_recovery_code_regenerated --share

SQL

This detection uses a named query:

select
  tp_timestamp as timestamp,
action as operation,
concat('https://github.com/', user) as resource,
actor,
tp_source_ip as source_ip,
tp_id as source_id,
*
exclude (actor, timestamp)

from
  github_security_log
where
  action in ('two_factor_authentication.recovery_codes_regenerated')
order by
  tp_timestamp desc;

Detection: MFA Recovery Codes Regenerated

Overview

Usage

SQL

Tags