GitHub Repo

Detection: GitHub Enterprise Disable 2FA Requirement

Updated Date: 2026-05-13 ID: 5a773226-ebd7-480c-a819-fccacfeddcd9 Author: Patrick Bareiss, Splunk Type: Anomaly Product: Splunk Enterprise Security

Description

The following analytic detects when two-factor authentication (2FA) requirements are disabled in GitHub Enterprise. The detection monitors GitHub Enterprise audit logs for 2FA requirement changes by tracking actor details, organization information, and associated metadata. For a SOC, identifying disabled 2FA requirements is critical as it could indicate attempts to weaken account security controls. Two-factor authentication is a fundamental security control that helps prevent unauthorized access even if passwords are compromised. Disabling 2FA requirements could allow attackers to more easily compromise accounts through password-based attacks. The impact of disabled 2FA includes increased risk of account takeover, potential access to sensitive code and intellectual property, and compromise of the software supply chain. This activity could be part of a larger attack chain where an adversary first disables security controls before attempting broader account compromises.

 1`github_enterprise` action=org.disable_two_factor_requirement OR action=business.disable_two_factor_requirement
 2  
 3| fillnull
 4  
 5| stats count min(_time) as firstTime max(_time) as lastTime
 6    BY actor, actor_id, actor_is_bot,
 7       actor_location.country_code, business, business_id,
 8       user_agent, action
 9  
10| eval user=actor
11  
12| `security_content_ctime(firstTime)`
13  
14| `security_content_ctime(lastTime)`
15  
16| `github_enterprise_disable_2fa_requirement_filter`

Data Source

Name Platform Sourcetype Source
GitHub Enterprise Audit Logs Other 'httpevent' 'http:github'

Macros Used

Name Value
security_content_ctime convert timeformat="%Y-%m-%dT%H:%M:%S" ctime($field$)
github_enterprise_disable_2fa_requirement_filter search *
github_enterprise_disable_2fa_requirement_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Annotations

- MITRE ATT&CK
+ Kill Chain Phases
+ NIST
+ CIS
- Threat Actors
ID Technique Tactic
T1195 Supply Chain Compromise Initial Access
T1685 Disable or Modify Tools Defense Impairment
Exploitation
Delivery
DE.AE
CIS 13

Default Configuration

This detection is configured by default in Splunk Enterprise Security to run with the following settings:

Setting Value
Disabled true
Cron Schedule 0 * * * *
Earliest Time -70m@m
Latest Time -10m@m
Schedule Window auto
Creates Finding (Notable) No
Creates Intermediate Finding (Risk Event) Yes
Anomaly detections generate Intermediate Findings (Risk Events). They do not generate a Finding (Notable) directly.

Implementation

You must ingest GitHub Enterprise logs using Audit log streaming as described in this documentation https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-streaming-to-splunk using a Splunk HTTP Event Collector.

Known False Positives

No false positives have been identified at this time.

Associated Analytic Story

Intermediate Findings

Message Entity Field Entity Type Risk Score
$user$ disabled 2FA requirement user user 20

Threat Objects

Field Type
user_agent http_user_agent

References

Detection Testing

Test Type Status Dataset Source Sourcetype
Validation Passing N/A N/A N/A
Unit Passing Dataset http:github httpevent
Integration ✅ Passing Dataset http:github httpevent

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

Source: GitHub | Version: 8