GitHubAudit
| where Action == "org.disable_two_factor_requirement"
| project TimeGenerated, Action, Actor, Country, IPaddress, Repository
| extend Name = iif(Actor contains "@", split(Actor, "@")[0], Actor)
| extend UPNSuffix = iif(Actor contains "@", split(Actor, "@")[1], "")
description: |
'Two-factor authentication is a process where a user is prompted during the sign-in process for an additional form of identification, such as to enter a code on their cellphone or to provide a fingerprint scan. Two factor authentication reduces the risk of account takeover. Attacker will want to disable such security tools in order to go undetected. '
version: 1.0.2
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GitHub/Analytic Rules/NRT Two Factor Authentication Disabled.yaml
query: |
GitHubAudit
| where Action == "org.disable_two_factor_requirement"
| project TimeGenerated, Action, Actor, Country, IPaddress, Repository
| extend Name = iif(Actor contains "@", split(Actor, "@")[0], Actor)
| extend UPNSuffix = iif(Actor contains "@", split(Actor, "@")[1], "")
id: 594c653d-719a-4c23-b028-36e3413e632e
name: NRT GitHub Two Factor Auth Disable
severity: Medium
tactics:
- DefenseEvasion
kind: NRT
entityMappings:
- fieldMappings:
- columnName: Actor
identifier: FullName
- columnName: Name
identifier: Name
- columnName: UPNSuffix
identifier: UPNSuffix
entityType: Account
- fieldMappings:
- columnName: IPaddress
identifier: Address
entityType: IP
relevantTechniques:
- T1562
requiredDataConnectors: []
