Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

GitHub Two Factor Auth Disable

Back
Id3ff0fffb-d963-40c0-b235-3404f915add7
RulenameGitHub Two Factor Auth Disable
DescriptionTwo-factor authentication is a process where a user is prompted during the sign-in process for an additional form of identification, such as to enter a code on their cellphone or to provide a fingerprint scan. Two factor authentication reduces the risk of account takeover. Attacker will want to disable such security tools in order to go undetected.
SeverityMedium
TacticsDefenseEvasion
TechniquesT1562
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GitHub/Analytic Rules/(Preview) GitHub - Two Factor Authentication Disabled in GitHub.yaml
Version1.0.1
Arm template3ff0fffb-d963-40c0-b235-3404f915add7.json
Deploy To Azure
GitHubAuditData
| where Action == "org.disable_two_factor_requirement"
| project TimeGenerated, Action, Actor, Country, Repository
| extend AccountCustomEntity = Actor
triggerOperator: gt
requiredDataConnectors: []
queryPeriod: 1d
status: Available
kind: Scheduled
description: |
    'Two-factor authentication is a process where a user is prompted during the sign-in process for an additional form of identification, such as to enter a code on their cellphone or to provide a fingerprint scan. Two factor authentication reduces the risk of account takeover. Attacker will want to disable such security tools in order to go undetected. '
query: |
  GitHubAuditData
  | where Action == "org.disable_two_factor_requirement"
  | project TimeGenerated, Action, Actor, Country, Repository
  | extend AccountCustomEntity = Actor  
relevantTechniques:
- T1562
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GitHub/Analytic Rules/(Preview) GitHub - Two Factor Authentication Disabled in GitHub.yaml
severity: Medium
triggerThreshold: 0
name: GitHub Two Factor Auth Disable
tactics:
- DefenseEvasion
version: 1.0.1
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: FullName
    columnName: AccountCustomEntity
id: 3ff0fffb-d963-40c0-b235-3404f915add7
queryFrequency: 1d
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2023-02-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/3ff0fffb-d963-40c0-b235-3404f915add7')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/3ff0fffb-d963-40c0-b235-3404f915add7')]",
      "properties": {
        "alertRuleTemplateName": "3ff0fffb-d963-40c0-b235-3404f915add7",
        "customDetails": null,
        "description": "'Two-factor authentication is a process where a user is prompted during the sign-in process for an additional form of identification, such as to enter a code on their cellphone or to provide a fingerprint scan. Two factor authentication reduces the risk of account takeover. Attacker will want to disable such security tools in order to go undetected. '\n",
        "displayName": "GitHub Two Factor Auth Disable",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountCustomEntity",
                "identifier": "FullName"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GitHub/Analytic Rules/(Preview) GitHub - Two Factor Authentication Disabled in GitHub.yaml",
        "query": "GitHubAuditData\n| where Action == \"org.disable_two_factor_requirement\"\n| project TimeGenerated, Action, Actor, Country, Repository\n| extend AccountCustomEntity = Actor\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "severity": "Medium",
        "status": "Available",
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "DefenseEvasion"
        ],
        "techniques": [
          "T1562"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}