This detection rule monitors GitHub Enterprise audit logs to identify instances where the requirement for two-factor authentication (2FA) has been disabled. It captures details regarding the actor making the change, along with organization information and relevant metadata. The rationale behind this detection is the critical security implications tied to disabling 2FA, as it significantly increases the risk of account compromise and potential unauthorized access to sensitive repositories and intellectual property. Incidents of disabled 2FA may also form part of a broader attack strategy where adversaries seek to weaken account security controls prior to launching more severe attacks. By analyzing the logs, organizations can take timely action to mitigate risks associated with these changes, thereby safeguarding their assets against potential threats.