Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

GitHub Two Factor Auth Disable

Back
Id3ff0fffb-d963-40c0-b235-3404f915add7
RulenameGitHub Two Factor Auth Disable
DescriptionTwo-factor authentication is a process where a user is prompted during the sign-in process for an additional form of identification, such as to enter a code on their cellphone or to provide a fingerprint scan. Two factor authentication reduces the risk of account takeover. Attacker will want to disable such security tools in order to go undetected.
SeverityMedium
TacticsDefenseEvasion
TechniquesT1562
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GitHub/Analytic Rules/(Preview) GitHub - Two Factor Authentication Disabled in GitHub.yaml
Version1.0.2
Arm template3ff0fffb-d963-40c0-b235-3404f915add7.json
Deploy To Azure
GitHubAuditData
| where Action == "org.disable_two_factor_requirement"
| project TimeGenerated, Action, Actor, Country, Repository
| extend Name = iif(Actor contains "@", split(Actor, "@")[0], Actor)
| extend UPNSuffix = iif(Actor contains "@", split(Actor, "@")[1], "")
queryFrequency: 1d
tactics:
- DefenseEvasion
queryPeriod: 1d
kind: Scheduled
relevantTechniques:
- T1562
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GitHub/Analytic Rules/(Preview) GitHub - Two Factor Authentication Disabled in GitHub.yaml
description: |
    'Two-factor authentication is a process where a user is prompted during the sign-in process for an additional form of identification, such as to enter a code on their cellphone or to provide a fingerprint scan. Two factor authentication reduces the risk of account takeover. Attacker will want to disable such security tools in order to go undetected. '
requiredDataConnectors: []
version: 1.0.2
triggerThreshold: 0
severity: Medium
triggerOperator: gt
id: 3ff0fffb-d963-40c0-b235-3404f915add7
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: Actor
    identifier: FullName
  - columnName: Name
    identifier: Name
  - columnName: UPNSuffix
    identifier: UPNSuffix
status: Available
name: GitHub Two Factor Auth Disable
query: |
  GitHubAuditData
  | where Action == "org.disable_two_factor_requirement"
  | project TimeGenerated, Action, Actor, Country, Repository
  | extend Name = iif(Actor contains "@", split(Actor, "@")[0], Actor)
  | extend UPNSuffix = iif(Actor contains "@", split(Actor, "@")[1], "")  
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2023-02-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/3ff0fffb-d963-40c0-b235-3404f915add7')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/3ff0fffb-d963-40c0-b235-3404f915add7')]",
      "properties": {
        "alertRuleTemplateName": "3ff0fffb-d963-40c0-b235-3404f915add7",
        "customDetails": null,
        "description": "'Two-factor authentication is a process where a user is prompted during the sign-in process for an additional form of identification, such as to enter a code on their cellphone or to provide a fingerprint scan. Two factor authentication reduces the risk of account takeover. Attacker will want to disable such security tools in order to go undetected. '\n",
        "displayName": "GitHub Two Factor Auth Disable",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "Actor",
                "identifier": "FullName"
              },
              {
                "columnName": "Name",
                "identifier": "Name"
              },
              {
                "columnName": "UPNSuffix",
                "identifier": "UPNSuffix"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GitHub/Analytic Rules/(Preview) GitHub - Two Factor Authentication Disabled in GitHub.yaml",
        "query": "GitHubAuditData\n| where Action == \"org.disable_two_factor_requirement\"\n| project TimeGenerated, Action, Actor, Country, Repository\n| extend Name = iif(Actor contains \"@\", split(Actor, \"@\")[0], Actor)\n| extend UPNSuffix = iif(Actor contains \"@\", split(Actor, \"@\")[1], \"\")\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "severity": "Medium",
        "status": "Available",
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "DefenseEvasion"
        ],
        "techniques": [
          "T1562"
        ],
        "templateVersion": "1.0.2",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}