Skip to main content

GitHub SSO configuration modified for organization or Enterprise account

ID:github_sso_configuration_modified
Data type:GitHub
Severity:
Low
MITRE ATT&CK:TA0005:T1562.001

Description

AlphaSOC detected modifications to the GitHub single sign-on (SSO) configuration settings. These changes affect how users authenticate to access organizational resources, including repositories, issues, and pull requests, via identity provider (IDP) authentication.

Impact

Modifying SSO settings could potentially bypass security controls and allow unauthorized access to organizational resources. Threat actors might leverage these changes to gain access to repositories, intellectual property, and development resources while potentially evading detection through normal authentication channels.

Severity

SeverityCondition
Low
GitHub SSO configuration modified for an organization or Enterprise account

Investigation and Remediation

Review GitHub audit logs for the specific SSO configuration changes, and determine which user executed the modifications. Verify that the changes align with the approved change management processes, and examine the IDP logs for any suspicious authentication patterns. If unauthorized changes are discovered, revert to the previous SSO configuration, rotate affected credentials and access tokens, and consider implementing additional monitoring of SSO configuration changes.

Known False Positives

  • Planned SSO configuration changes as part of identity management updates
  • Administrator testing of SSO settings
  • Routine maintenance of identity provider integrations
  • Automated updates from integrated identity management systems