GitHub SSO configuration modified for organization or Enterprise account
Description
AlphaSOC detected modifications to the GitHub single sign-on (SSO) configuration settings. These changes affect how users authenticate to access organizational resources, including repositories, issues, and pull requests, via identity provider (IDP) authentication.
Impact
Modifying SSO settings could potentially bypass security controls and allow unauthorized access to organizational resources. Threat actors might leverage these changes to gain access to repositories, intellectual property, and development resources while potentially evading detection through normal authentication channels.
Severity
| Severity | Condition |
|---|---|
Low | GitHub SSO configuration modified for an organization or Enterprise account |
Investigation and Remediation
Review GitHub audit logs for the specific SSO configuration changes, and determine which user executed the modifications. Verify that the changes align with the approved change management processes, and examine the IDP logs for any suspicious authentication patterns. If unauthorized changes are discovered, revert to the previous SSO configuration, rotate affected credentials and access tokens, and consider implementing additional monitoring of SSO configuration changes.
Known False Positives
- Planned SSO configuration changes as part of identity management updates
- Administrator testing of SSO settings
- Routine maintenance of identity provider integrations
- Automated updates from integrated identity management systems