30 строки
1.1 KiB
YAML
30 строки
1.1 KiB
YAML
id: 3ff0fffb-d963-40c0-b235-3404f915add7
|
|
name: GitHub Two Factor Auth Disable
|
|
description: |
|
|
'Two-factor authentication is a process where a user is prompted during the sign-in process for an additional form of identification, such as to enter a code on their cellphone or to provide a fingerprint scan. Two factor authentication reduces the risk of account takeover. Attacker will want to disable such security tools in order to go undetected. '
|
|
severity: Medium
|
|
requiredDataConnectors: []
|
|
queryFrequency: 1d
|
|
queryPeriod: 1d
|
|
triggerOperator: gt
|
|
triggerThreshold: 0
|
|
tactics:
|
|
- DefenseEvasion
|
|
relevantTechniques:
|
|
- T1562
|
|
query: |
|
|
|
|
GitHubAudit
|
|
| where Action == "org.disable_two_factor_requirement"
|
|
| project TimeGenerated, Action, Actor, Country, IPaddress, Repository
|
|
| extend AccountCustomEntity = Actor, IPCustomEntity = IPaddress
|
|
entityMappings:
|
|
- entityType: Account
|
|
fieldMappings:
|
|
- identifier: FullName
|
|
columnName: AccountCustomEntity
|
|
- entityType: IP
|
|
fieldMappings:
|
|
- identifier: Address
|
|
columnName: IPCustomEntity
|
|
version: 1.0.0 |