Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. GitHub Two Factor Auth Disable

GitHub Two Factor Auth Disable

Back
Id3ff0fffb-d963-40c0-b235-3404f915add7
RulenameGitHub Two Factor Auth Disable
DescriptionTwo-factor authentication is a process where a user is prompted during the sign-in process for an additional form of identification, such as to enter a code on their cellphone or to provide a fingerprint scan. Two factor authentication reduces the risk of account takeover. Attacker will want to disable such security tools in order to go undetected.
SeverityMedium
TacticsDefenseEvasion
TechniquesT1562
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GitHub/Analytic Rules/(Preview) GitHub - Two Factor Authentication Disabled in GitHub.yaml
Version1.0.2
Arm template3ff0fffb-d963-40c0-b235-3404f915add7.json
Deploy To Azure
GitHubAuditData
| where Action == "org.disable_two_factor_requirement"
| project TimeGenerated, Action, Actor, Country, Repository
| extend Name = iif(Actor contains "@", split(Actor, "@")[0], Actor)
| extend UPNSuffix = iif(Actor contains "@", split(Actor, "@")[1], "")

version: 1.0.2
id: 3ff0fffb-d963-40c0-b235-3404f915add7
tactics:
- DefenseEvasion
query: |
  GitHubAuditData
  | where Action == "org.disable_two_factor_requirement"
  | project TimeGenerated, Action, Actor, Country, Repository
  | extend Name = iif(Actor contains "@", split(Actor, "@")[0], Actor)
  | extend UPNSuffix = iif(Actor contains "@", split(Actor, "@")[1], "")  
requiredDataConnectors: []
description: |
    'Two-factor authentication is a process where a user is prompted during the sign-in process for an additional form of identification, such as to enter a code on their cellphone or to provide a fingerprint scan. Two factor authentication reduces the risk of account takeover. Attacker will want to disable such security tools in order to go undetected. '
queryPeriod: 1d
status: Available
queryFrequency: 1d
severity: Medium
kind: Scheduled
triggerOperator: gt
entityMappings:
- fieldMappings:
  - columnName: Actor
    identifier: FullName
  - columnName: Name
    identifier: Name
  - columnName: UPNSuffix
    identifier: UPNSuffix
  entityType: Account
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GitHub/Analytic Rules/(Preview) GitHub - Two Factor Authentication Disabled in GitHub.yaml
name: GitHub Two Factor Auth Disable
relevantTechniques:
- T1562