Github High Risk Configuration Disabled

 1title: Github High Risk Configuration Disabled
 2id: 8622c92d-c00e-463c-b09d-fd06166f6794
 3status: test
 4description: Detects when a user disables a critical security feature for an organization.
 5references:
 6    - https://docs.github.com/en/organizations/managing-oauth-access-to-your-organizations-data/disabling-oauth-app-access-restrictions-for-your-organization
 7    - https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#dependabot_alerts-category-actions
 8    - https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository
 9    - https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise
10author: Muhammad Faisal (@faisalusuf)
11date: 2023/01/29
12modified: 2024/07/22
13tags:
14    - attack.credential_access
15    - attack.defense_evasion
16    - attack.persistence
17    - attack.t1556
18logsource:
19    product: github
20    service: audit
21    definition: 'Requirements: The audit log streaming feature must be enabled to be able to receive such logs. You can enable following the documentation here: https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-audit-log-streaming'
22detection:
23    selection:
24        action:
25            - 'business_advanced_security.disabled_for_new_repos'
26            - 'business_advanced_security.disabled_for_new_user_namespace_repos'
27            - 'business_advanced_security.disabled'
28            - 'business_advanced_security.user_namespace_repos_disabled'
29            - 'org.advanced_security_disabled_for_new_repos'
30            - 'org.advanced_security_disabled_on_all_repos'
31            - 'org.advanced_security_policy_selected_member_disabled'
32            - 'org.disable_oauth_app_restrictions'
33            - 'org.disable_two_factor_requirement'
34            - 'repo.advanced_security_disabled'
35    condition: selection
36falsepositives:
37    - Approved administrator/owner activities.
38level: high

References

• Disabling OAuth app access restrictions for your organization - GitHub Docs

  

  Organization owners can disable restrictions on the OAuth apps that have access to the organization's resources.

  
  Read More

• Reviewing the audit log for your organization - GitHub Docs

  

  The audit log allows organization admins to quickly review the actions performed by members of your organization. It includes details such as who performed the action, what the action was, and when it was performed.

  
  Read More

• Managing security and analysis settings for your repository - GitHub Docs

  

  You can control features that secure and analyze the code in your project on GitHub.

  
  Read More

• Audit log events for your enterprise - GitHub Enterprise Cloud Docs

  

  Review the events recorded in an enterprise's audit log.

  
  Read More

Related rules

• Change to Authentication Method
• CA Policy Removed by Non Approved Actor
• CA Policy Updated by Non Approved Actor
• User Added To Group With CA Policy Modification Access
• User Removed From Group With CA Policy Modification Access