What Changed
The GitHub Enterprise “Two Factor Authentication Disabled” NRT detection rule has been fixed after a complete monitoring failure caused by table migration. The rule was querying the deprecated GitHubAudit table instead of the current GitHubAuditData table, resulting in zero detection capability.
Detection Logic
- Data Source: GitHubAuditData (corrected from deprecated GitHubAudit)
- Core Logic: Monitors org.disable_two_factor_requirement audit events to detect when organization-wide 2FA requirements are disabled
- Entity Mapping: Account entities (Name, UPNSuffix) — IP address mapping removed as field no longer exists in new parser format
- Detection Type: Near Real Time (NRT) rule for immediate alerting
Security Impact (Visibility & Fidelity)
Critical blind spot eliminated: Deployments running the previous version had complete detection failure for GitHub Enterprise 2FA policy changes. The rule produced zero alerts because it was querying a non-existent table name.
Organizations using GitHub Enterprise with this rule experienced an undetected gap in monitoring for:
- Malicious disabling of organization-wide 2FA requirements
- Insider threats weakening authentication policies
- Compliance violations related to multi-factor authentication enforcement
This represents a complete loss of T1562 (Impair Defenses) detection capability for GitHub Enterprise environments until this fix is deployed.
MITRE Mapping
- T1562 - Impair Defenses: Detects when attackers disable 2FA requirements to weaken organizational security controls
Affected Files
Solutions/ContentHubSolutionsCatalog.md
Solutions/GitHub/Analytic Rules/NRT Two Factor Authentication Disabled.yaml
(packaging artefacts: 3.1.4.zip, ReleaseNotes.md, Solution_GitHub.json, mainTemplate.json)