|
| 1 | +name: GitHub Enterprise Disable 2FA Requirement |
| 2 | +id: 5a773226-ebd7-480c-a819-fccacfeddcd9 |
| 3 | +version: 1 |
| 4 | +date: '2025-01-17' |
| 5 | +author: Patrick Bareiss, Splunk |
| 6 | +status: production |
| 7 | +type: Anomaly |
| 8 | +description: The following analytic detects when two-factor authentication (2FA) requirements are disabled in GitHub Enterprise. |
| 9 | + The detection monitors GitHub Enterprise audit logs for 2FA requirement changes by tracking actor details, organization information, |
| 10 | + and associated metadata. For a SOC, identifying disabled 2FA requirements is critical as it could indicate attempts to weaken |
| 11 | + account security controls. Two-factor authentication is a fundamental security control that helps prevent unauthorized access even if |
| 12 | + passwords are compromised. Disabling 2FA requirements could allow attackers to more easily compromise accounts through password-based attacks. |
| 13 | + The impact of disabled 2FA includes increased risk of account takeover, potential access to sensitive code and intellectual property, and |
| 14 | + compromise of the software supply chain. This activity could be part of a larger attack chain where an adversary first disables |
| 15 | + security controls before attempting broader account compromises. |
| 16 | +data_source: |
| 17 | +- GitHub Enterprise Audit Logs |
| 18 | +search: '`github_enterprise` action=org.disable_two_factor_requirement OR action=business.disable_two_factor_requirement |
| 19 | + | fillnull |
| 20 | + | stats count min(_time) as firstTime max(_time) as lastTime by actor, actor_id, actor_is_bot, actor_location.country_code, business, business_id, user_agent, action |
| 21 | + | eval user=actor |
| 22 | + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` |
| 23 | + | `github_enterprise_disable_2FA_requirement_filter`' |
| 24 | +how_to_implement: You must ingest GitHub Enterprise logs using Audit log streaming as described in this documentation https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-streaming-to-splunk using a Splunk HTTP Event Collector. |
| 25 | +known_false_positives: unknown |
| 26 | +references: |
| 27 | +- https://www.googlecloudcommunity.com/gc/Community-Blog/Monitoring-for-Suspicious-GitHub-Activity-with-Google-Security/ba-p/763610 |
| 28 | +- https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-streaming-to-splunk |
| 29 | +drilldown_searches: |
| 30 | +- name: View the detection results for - "$user$" |
| 31 | + search: '%original_detection_search% | search user = "$user$"' |
| 32 | + earliest_offset: $info_min_time$ |
| 33 | + latest_offset: $info_max_time$ |
| 34 | +- name: View risk events for the last 7 days for - "$user$" |
| 35 | + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' |
| 36 | + earliest_offset: $info_min_time$ |
| 37 | + latest_offset: $info_max_time$ |
| 38 | +tags: |
| 39 | + analytic_story: |
| 40 | + - GitHub Malicious Activity |
| 41 | + asset_type: GitHub |
| 42 | + confidence: 90 |
| 43 | + impact: 30 |
| 44 | + message: $user$ disabled 2FA requirement |
| 45 | + mitre_attack_id: |
| 46 | + - T1562.001 |
| 47 | + observable: |
| 48 | + - name: user |
| 49 | + type: User |
| 50 | + role: |
| 51 | + - Victim |
| 52 | + product: |
| 53 | + - Splunk Enterprise |
| 54 | + - Splunk Enterprise Security |
| 55 | + - Splunk Cloud |
| 56 | + required_fields: |
| 57 | + - actor |
| 58 | + - actor_id |
| 59 | + - actor_is_bot |
| 60 | + - actor_location.country_code |
| 61 | + - business |
| 62 | + - business_id |
| 63 | + - user_agent |
| 64 | + risk_score: 27 |
| 65 | + security_domain: network |
| 66 | +tests: |
| 67 | +- name: True Positive Test |
| 68 | + attack_data: |
| 69 | + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/github_disable_two_factor_requirement/github.json |
| 70 | + source: http:github |
| 71 | + sourcetype: httpevent |
| 72 | + |
| 73 | + |
0 commit comments