c4f71f231d
The deploy to Azure button was not working. It had 1 extra quote. |
||
---|---|---|
.. | ||
ORGS.json | ||
azuredeploy.json | ||
lastrun-Audit.json | ||
readme.md |
readme.md
Ingest GitHub AuditLog and API Data
Author: Nicholas DiCola
Get-GitHubAuditEntry playbook ingests GitHub AuditLog via (GraphQL)[https://developer.github.com/v4/interface/auditentry/] events and writes them to a custom log table called GitHub_CL. Get-GitHubRepoLogs playbook ingests GitHub (Traffic Logs)[https://developer.github.com/v3/repos/traffic/] data and writes them to a custom log table called GitHubRepoLogs_CL. Get-GitHubVulnerabilityAlerts playbook ingests GitHub (Security Vulnerability)[https://developer.github.com/v4/object/securityvulnerability/] data and writes them to a custom log table called GitHubRepoLogs_CL
There are a number of configuration steps required to deploy the Logic App playbooks.
Configuration Steps
- Generate a GitHub (Personal Access Token)[https://github.com/settings/tokens]. GitHub user settings -> Developer settings -> Personal access tokens.
- Get the objectId for a user that the Logic App can use. Azure Portal -> Azure Active Directory -> Users -> User. This user will be used to grant access to the Key Vault secret.
- Deploy the ARM template and fill in the parameters.
"PersonalAccessToken": This is the GITHUB PAT
"UserName": A user that will be granted access to the key vault
"principalId": The user object ID for the user
"workspaceId": The Sentinel Workspace ID
"workSpaceKey": The Sentinel Workspace Key
- There are two json files (ORGS.json and lastrun-Audit.json).
- Edit the ORGS.json file and update "org": "sampleorg" and replace sample org with your org name. If you have addtional orgs, add another line {"org": "sampleorg"} for each org.
- Upload the ORGS.json, and lastrun-Audit.json to the storage account githublogicapp container.
- Go to the keyvault-GitHubPlaybooks connection resource.
- Click Edit API Connection.
- Click Authorize. Sign in as the user. Click Save.
- The playbooks are deployed as disabled since the json files and connection has to be authorized. Go to each playbook and click Enable.
Note: there are two parsers (here)[https://github.com/Azure/Azure-Sentinel/tree/master/Parsers/GitHub] to make the logs useful