LoFP / approved administrator/owner activities.

Techniques

t1556

Sample rules

Github High Risk Configuration Disabled

source: sigma
technicques:
- t1556

Description

Detects when a user disables a critical security feature for an organization.

Detection logic

condition: selection
selection:
  action:
  - org.advanced_security_policy_selected_member_disabled
  - org.disable_oauth_app_restrictions
  - org.disable_two_factor_requirement
  - repo.advanced_security_disabled