Rod’s Blog

Share this post

Integrating Microsoft Sentinel with GitHub

rodtrent.substack.com

Integrating Microsoft Sentinel with GitHub

Monitoring Development

Rod Trent
Jan 18, 2024
23
Share this post

Integrating Microsoft Sentinel with GitHub

rodtrent.substack.com
4
Share

Microsoft Sentinel is a cloud-native security information and event management (SIEM) service that uses artificial intelligence (AI) to analyze security data from various sources and detect threats. GitHub is a platform for hosting, managing, and collaborating on software development projects using Git. By integrating Microsoft Sentinel with GitHub, you can monitor and protect your GitHub repositories, track user activities, and automate security workflows.

In this article, we will show you how to use Microsoft Sentinel with GitHub in two ways:

  1. Using webhooks, and…

  2. Using audit logs

Webhooks are events that GitHub sends to a specified URL when certain actions occur in your repositories. Audit logs are records of user actions and changes in your GitHub enterprise account.

Requirements:

Both methods require you to have a Microsoft Sentinel workspace and a GitHub enterprise account.

Using Webhooks

To use webhooks with Microsoft Sentinel, you need to create an Azure Function app that receives the webhook events from GitHub and sends them to your Microsoft Sentinel workspace. You also need to configure GitHub to send the webhook events to the Azure Function app URL. The steps are as follows:

  1. Create an Azure Function app in your Azure portal.

  2. Copy the URL of the Azure Function app from the Overview page.

  3. Go to your GitHub enterprise account and select the repository that you want to monitor.

  4. Go to Settings > Webhooks and click on Add webhook.

  5. Paste the Azure Function app URL in the Payload URL field and select application/json as the Content type.

  6. Choose the events that you want to trigger the webhook. You can select individual events or all events.

  7. Click on Add webhook to save the configuration.

Now, whenever the selected events occur in your GitHub repository, GitHub will send a webhook event to the Azure Function app, which will forward it to your Microsoft Sentinel workspace. You can view the webhook data in Microsoft Sentinel by going to:

Data connectors > GitHub (using Webhooks) (using Azure Function) > Logs > GitHub_CL

Using Audit Logs

To use audit logs with Microsoft Sentinel, you need to enable audit logging in your GitHub enterprise account and create a data connector in your Microsoft Sentinel workspace. The steps are as follows:

  1. Go to your GitHub enterprise account and select the organization that you want to monitor.

  2. Go to Settings > Audit log and click on Enable audit logging.

  3. Go to your Microsoft Sentinel workspace and select Data connectors from the navigation menu.

  4. Find the GitHub Enterprise Audit Log connector and click on Open connector page.

  5. Follow the instructions to configure the connector. You will need to provide your GitHub enterprise account name, access token, and API URL.

  6. Click on Apply changes to save the configuration.

Now, Microsoft Sentinel will periodically fetch the audit logs from your GitHub enterprise account and ingest them into your workspace. You can view the audit log data in Microsoft Sentinel by going to:

Data connectors > GitHub Enterprise Audit Log > Logs > GitHubAudit_CL

…

Microsoft Sentinel and GitHub are powerful tools for security and software development. By integrating them, you can enhance your security posture, gain visibility into your GitHub activities, and automate your security responses. You can use webhooks or audit logs to connect Microsoft Sentinel with GitHub, depending on your needs and preferences.

[Want to discuss this further? Hit me up on Twitter or LinkedIn]

[Subscribe to the RSS feed for this blog]

[Subscribe to the Weekly Microsoft Sentinel Newsletter]

[Subscribe to the Weekly Microsoft Defender Newsletter]

[Subscribe to the Weekly Azure OpenAI Newsletter]

[Learn KQL with the Must Learn KQL series and book]

[Learn AI Security with the Must Learn AI Security series and book]

Rod’s Blog is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.

23
Share this post

Integrating Microsoft Sentinel with GitHub

rodtrent.substack.com
4
Share

Discussion about this post

Peter Cronwright
Feb 15Liked by Rod Trent

Thanks for the article Rod, this is the first I've seen mention using webhooks connector for more than just Github threat events.

For those who may have looked or deployed using webhooks in the past, the integration did not pull in the "event type" field from Github. So if you added multiple event types it did not work that well, with that key field needed to give context to the logs.

I updated the integration to add the "event type" field in https://github.com/Azure/Azure-Sentinel/pull/9510 in November 2023, so any new or restarted function app after that date will now include the (event_s) field which tells you the github event type. Now if you choose to push all event types via webhooks you get fairly a good log of activity.

Prior to this it seems the webhook connector was primarily used for Threat events, and those are the only type of Sentinel analytics which currently use this connector OOB.

Be aware though there are some key log types which are not included in the webhook events, primarily those for authentication and external access. For those you need to use the audit log connector.

Expand full comment
Reply
Share
Sergei
Jan 18

Thanks for sharing. This solution is good if you have only one organisation. It is not suitable for GitHub enterprise with multiple organisations.

Expand full comment
Reply
Share
2 replies by Rod Trent and others
2 more comments...

No posts

Ready for more?

© 2024 Rod Trent
Privacy ∙ Terms ∙ Collection notice
Start WritingGet the app
Substack is the home for great culture
Share