Microsoft Sentinel is a cloud-native security information and event management (SIEM) service that uses artificial intelligence (AI) to analyze security data from various sources and detect threats. GitHub is a platform for hosting, managing, and collaborating on software development projects using Git. By integrating Microsoft Sentinel with GitHub, you can monitor and protect your GitHub repositories, track user activities, and automate security workflows.
In this article, we will show you how to use Microsoft Sentinel with GitHub in two ways:
Using webhooks, and…
Using audit logs
Webhooks are events that GitHub sends to a specified URL when certain actions occur in your repositories. Audit logs are records of user actions and changes in your GitHub enterprise account.
Requirements:
Both methods require you to have a Microsoft Sentinel workspace and a GitHub enterprise account.
Using Webhooks
To use webhooks with Microsoft Sentinel, you need to create an Azure Function app that receives the webhook events from GitHub and sends them to your Microsoft Sentinel workspace. You also need to configure GitHub to send the webhook events to the Azure Function app URL. The steps are as follows:
Create an Azure Function app in your Azure portal.
Copy the URL of the Azure Function app from the Overview page.
Go to your GitHub enterprise account and select the repository that you want to monitor.
Go to Settings > Webhooks and click on Add webhook.
Paste the Azure Function app URL in the Payload URL field and select application/json as the Content type.
Choose the events that you want to trigger the webhook. You can select individual events or all events.
Click on Add webhook to save the configuration.
Now, whenever the selected events occur in your GitHub repository, GitHub will send a webhook event to the Azure Function app, which will forward it to your Microsoft Sentinel workspace. You can view the webhook data in Microsoft Sentinel by going to:
Data connectors > GitHub (using Webhooks) (using Azure Function) > Logs > GitHub_CL
Using Audit Logs
To use audit logs with Microsoft Sentinel, you need to enable audit logging in your GitHub enterprise account and create a data connector in your Microsoft Sentinel workspace. The steps are as follows:
Go to your GitHub enterprise account and select the organization that you want to monitor.
Go to Settings > Audit log and click on Enable audit logging.
Go to your Microsoft Sentinel workspace and select Data connectors from the navigation menu.
Find the GitHub Enterprise Audit Log connector and click on Open connector page.
Follow the instructions to configure the connector. You will need to provide your GitHub enterprise account name, access token, and API URL.
Click on Apply changes to save the configuration.
Now, Microsoft Sentinel will periodically fetch the audit logs from your GitHub enterprise account and ingest them into your workspace. You can view the audit log data in Microsoft Sentinel by going to:
Data connectors > GitHub Enterprise Audit Log > Logs > GitHubAudit_CL
…
Microsoft Sentinel and GitHub are powerful tools for security and software development. By integrating them, you can enhance your security posture, gain visibility into your GitHub activities, and automate your security responses. You can use webhooks or audit logs to connect Microsoft Sentinel with GitHub, depending on your needs and preferences.
[Want to discuss this further? Hit me up on Twitter or LinkedIn]
[Subscribe to the RSS feed for this blog]
[Subscribe to the Weekly Microsoft Sentinel Newsletter]
[Subscribe to the Weekly Microsoft Defender Newsletter]
[Subscribe to the Weekly Azure OpenAI Newsletter]
[Learn KQL with the Must Learn KQL series and book]
[Learn AI Security with the Must Learn AI Security series and book]
Rod’s Blog is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.
