EXPLORE
Sign In
← Back to Explore
splunk_escuAnomaly

GitHub Enterprise Disable 2FA Requirement

The following analytic detects when two-factor authentication (2FA) requirements are disabled in GitHub Enterprise. The detection monitors GitHub Enterprise audit logs for 2FA requirement changes by tracking actor details, organization information, and associated metadata. For a SOC, identifying disabled 2FA requirements is critical as it could indicate attempts to weaken account security controls. Two-factor authentication is a fundamental security control that helps prevent unauthorized access even if passwords are compromised. Disabling 2FA requirements could allow attackers to more easily compromise accounts through password-based attacks. The impact of disabled 2FA includes increased risk of account takeover, potential access to sensitive code and intellectual property, and compromise of the software supply chain. This activity could be part of a larger attack chain where an adversary first disables security controls before attempting broader account compromises.

MITRE ATT&CK

T1562.001T1195

Detection Query

`github_enterprise` action=org.disable_two_factor_requirement OR action=business.disable_two_factor_requirement
  | fillnull
  | stats count min(_time) as firstTime max(_time) as lastTime
    BY actor, actor_id, actor_is_bot,
       actor_location.country_code, business, business_id,
       user_agent, action
  | eval user=actor
  | `security_content_ctime(firstTime)`
  | `security_content_ctime(lastTime)`
  | `github_enterprise_disable_2fa_requirement_filter`

Author

Patrick Bareiss, Splunk

Created

2026-03-10

Data Sources

GitHub Enterprise Audit Logs

References

Tags

GitHub Malicious Activity
Raw Content
name: GitHub Enterprise Disable 2FA Requirement
id: 5a773226-ebd7-480c-a819-fccacfeddcd9
version: 5
date: '2026-03-10'
author: Patrick Bareiss, Splunk
status: production
type: Anomaly
description: The following analytic detects when two-factor authentication (2FA) requirements are disabled in GitHub Enterprise. The detection monitors GitHub Enterprise audit logs for 2FA requirement changes by tracking actor details, organization information, and associated metadata. For a SOC, identifying disabled 2FA requirements is critical as it could indicate attempts to weaken account security controls. Two-factor authentication is a fundamental security control that helps prevent unauthorized access even if passwords are compromised. Disabling 2FA requirements could allow attackers to more easily compromise accounts through password-based attacks. The impact of disabled 2FA includes increased risk of account takeover, potential access to sensitive code and intellectual property, and compromise of the software supply chain. This activity could be part of a larger attack chain where an adversary first disables security controls before attempting broader account compromises.
data_source:
    - GitHub Enterprise Audit Logs
search: |-
    `github_enterprise` action=org.disable_two_factor_requirement OR action=business.disable_two_factor_requirement
      | fillnull
      | stats count min(_time) as firstTime max(_time) as lastTime
        BY actor, actor_id, actor_is_bot,
           actor_location.country_code, business, business_id,
           user_agent, action
      | eval user=actor
      | `security_content_ctime(firstTime)`
      | `security_content_ctime(lastTime)`
      | `github_enterprise_disable_2fa_requirement_filter`
how_to_implement: You must ingest GitHub Enterprise logs using Audit log streaming as described in this documentation https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-streaming-to-splunk using a Splunk HTTP Event Collector.
known_false_positives: No false positives have been identified at this time.
references:
    - https://www.googlecloudcommunity.com/gc/Community-Blog/Monitoring-for-Suspicious-GitHub-Activity-with-Google-Security/ba-p/763610
    - https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-streaming-to-splunk
drilldown_searches:
    - name: View the detection results for - "$user$"
      search: '%original_detection_search% | search  user = "$user$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$user$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
rba:
    message: $user$ disabled 2FA requirement
    risk_objects:
        - field: user
          type: user
          score: 20
    threat_objects:
        - field: user_agent
          type: http_user_agent
tags:
    analytic_story:
        - GitHub Malicious Activity
    asset_type: GitHub
    mitre_attack_id:
        - T1562.001
        - T1195
    product:
        - Splunk Enterprise
        - Splunk Enterprise Security
        - Splunk Cloud
    security_domain: network
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/github_disable_two_factor_requirement/github.json
          source: http:github
          sourcetype: httpevent