Detection rules › Splunk
GitHub Organizations Disable 2FA Requirement
The following analytic detects when two-factor authentication (2FA) requirements are disabled in GitHub Organizations. The detection monitors GitHub Organizations audit logs for 2FA requirement changes by tracking actor details, organization information, and associated metadata. For a SOC, identifying disabled 2FA requirements is critical as it could indicate attempts to weaken account security controls. Two-factor authentication is a fundamental security control that helps prevent unauthorized access even if passwords are compromised. Disabling 2FA requirements could allow attackers to more easily compromise accounts through password-based attacks. The impact of disabled 2FA includes increased risk of account takeover, potential access to sensitive code and intellectual property, and compromise of the software supply chain. This activity could be part of a larger attack chain where an adversary first disables security controls before attempting broader account compromises.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Initial Access | T1195 Supply Chain Compromise |
| Defense Impairment | T1685 Disable or Modify Tools |
Rule body splunk
name: GitHub Organizations Disable 2FA Requirement
id: 3ed0d6ba-4791-4fa8-a1ef-403e438c7033
version: 9
creation_date: '2025-01-15'
modification_date: '2026-05-13'
author: Patrick Bareiss, Splunk
status: production
type: Anomaly
description: The following analytic detects when two-factor authentication (2FA) requirements are disabled in GitHub Organizations. The detection monitors GitHub Organizations audit logs for 2FA requirement changes by tracking actor details, organization information, and associated metadata. For a SOC, identifying disabled 2FA requirements is critical as it could indicate attempts to weaken account security controls. Two-factor authentication is a fundamental security control that helps prevent unauthorized access even if passwords are compromised. Disabling 2FA requirements could allow attackers to more easily compromise accounts through password-based attacks. The impact of disabled 2FA includes increased risk of account takeover, potential access to sensitive code and intellectual property, and compromise of the software supply chain. This activity could be part of a larger attack chain where an adversary first disables security controls before attempting broader account compromises.
data_source:
- GitHub Organizations Audit Logs
search: |-
`github_organizations` vendor_action=org.disable_two_factor_requirement
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime
BY actor, actor_id, actor_ip,
actor_is_bot, actor_location.country_code, business,
business_id, org, org_id,
user_agent, vendor_action
| eval user=actor
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `github_organizations_disable_2fa_requirement_filter`
how_to_implement: You must ingest GitHub Organizations logs using Splunk Add-on for Github using a Personal Access Token https://splunk.github.io/splunk-add-on-for-github-audit-log-monitoring/Install/ .
known_false_positives: No false positives have been identified at this time.
references:
- https://splunk.github.io/splunk-add-on-for-github-audit-log-monitoring/Install/
- https://www.googlecloudcommunity.com/gc/Community-Blog/Monitoring-for-Suspicious-GitHub-Activity-with-Google-Security/ba-p/763610
drilldown_searches:
- name: View the detection results for - "$user$"
search: '%original_detection_search% | search user = "$user$"'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$user$"
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
earliest_offset: 7d
latest_offset: "0"
intermediate_findings:
entities:
- field: user
type: user
score: 20
message: $user$ disabled 2FA requirement in GitHub Organizations
threat_objects:
- field: user_agent
type: http_user_agent
analytic_story:
- GitHub Malicious Activity
asset_type: GitHub
mitre_attack_id:
- T1685
- T1195
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
category: cloud
security_domain: network
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/github_disable_two_factor_requirement/github.json
source: github
sourcetype: github:cloud:audit
test_type: unit
Stages and Predicates
Stage 1: search
`github_organizations` vendor_action=org.disable_two_factor_requirement
Stage 2: fillnull
| fillnull
Stage 3: stats
| stats count min(_time) as firstTime max(_time) as lastTime
BY actor, actor_id, actor_ip,
actor_is_bot, actor_location.country_code, business,
business_id, org, org_id,
user_agent, vendor_action
Stage 4: eval
| eval user=actor
Stage 5: search
| `security_content_ctime(firstTime)`
Stage 6: search
| `security_content_ctime(lastTime)`
Stage 7: search
| `github_organizations_disable_2fa_requirement_filter`
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
sourcetype | eq |
|
vendor_action | eq |
|