Thanks for the article Rod, this is the first I've seen mention using webhooks connector for more than just Github threat events.
For those who may have looked or deployed using webhooks in the past, the integration did not pull in the "event type" field from Github. So if you added multiple event types it did not work that well, with that key field needed to give context to the logs.
I updated the integration to add the "event type" field in https://github.com/Azure/Azure-Sentinel/pull/9510 in November 2023, so any new or restarted function app after that date will now include the (event_s) field which tells you the github event type. Now if you choose to push all event types via webhooks you get fairly a good log of activity.
Prior to this it seems the webhook connector was primarily used for Threat events, and those are the only type of Sentinel analytics which currently use this connector OOB.
Be aware though there are some key log types which are not included in the webhook events, primarily those for authentication and external access. For those you need to use the audit log connector.
Thanks Rod. Enterprise Audit Logs can be onboarded via Logs streaming enabled on GitHub -> EventHub -> Logic App -> Sentinel LAW. This method of onboarding has been very straightforward, but the logs offer little security value. We are developing a custom solution to obtain security logs from multiple organizations. When it's ready, I'll share the details. It will be very interesting to see your suggestions. Many Thanks
Thanks for the article Rod, this is the first I've seen mention using webhooks connector for more than just Github threat events.
For those who may have looked or deployed using webhooks in the past, the integration did not pull in the "event type" field from Github. So if you added multiple event types it did not work that well, with that key field needed to give context to the logs.
I updated the integration to add the "event type" field in https://github.com/Azure/Azure-Sentinel/pull/9510 in November 2023, so any new or restarted function app after that date will now include the (event_s) field which tells you the github event type. Now if you choose to push all event types via webhooks you get fairly a good log of activity.
Prior to this it seems the webhook connector was primarily used for Threat events, and those are the only type of Sentinel analytics which currently use this connector OOB.
Be aware though there are some key log types which are not included in the webhook events, primarily those for authentication and external access. For those you need to use the audit log connector.
Thanks for sharing. This solution is good if you have only one organisation. It is not suitable for GitHub enterprise with multiple organisations.
Great feedback. I'll revisit that with another article.
TBH: This article came from some comments during the Microsoft AI Tour last week. Some were just not aware of even this.
Thanks Rod. Enterprise Audit Logs can be onboarded via Logs streaming enabled on GitHub -> EventHub -> Logic App -> Sentinel LAW. This method of onboarding has been very straightforward, but the logs offer little security value. We are developing a custom solution to obtain security logs from multiple organizations. When it's ready, I'll share the details. It will be very interesting to see your suggestions. Many Thanks