Connect this data source on your own, using the Hunters platform.
TL;DR
Supported data types | 3rd party detection | Hunters detection | IOC search | Search | Table name | Log format | Collection method |
|---|---|---|---|---|---|---|---|
Github Audit Logs (Cloud) | ✅ | ✅ | github_audit_logs | NDJSON | S3 | ||
Github Audit Logs (Server) | ✅ | ✅ | github_server_logs | Syslog | S3 | ||
Github Organization Audit Logs | ✅ | ✅ | github_org_audit_logs | NDJSON | S3/API |
Overview
GitHub is a provider of Internet hosting for software development and version control using Git.
Organizations that manage their code on GitHub may view and export various logs regarding the platform.
Supported data types
Github Audit Logs (Cloud)
Table name: github_audit_logs
Github Enterprise audit logs provide a comprehensive, centralized view of security events, configuration changes, and Git actions across all organizations within an enterprise account, allowing for holistic monitoring.
Learn more here.
Github Audit Logs (Server)
Table name: github_server_logs
This is a similar log, differing by originating from an on-premise Github server, instead of from Github’s SaaS offering.
Learn more here.
📘Note
These logs are only available for GitHub Enterprise owners, through both GitHub Enterprise Cloud and GitHub Enterprise Server.
Github Organization Audit Logs
Table name: github_org_audit_logs
GitHub organization-level audit logs are restricted to a single organization, providing detailed, localized visibility for that specific entity. This audit log allows organization admins to quickly review the actions performed by members of your organization. It includes details such as who performed the action, what the action was, and when it was performed.
Learn more here.
Send data to Hunters
Hunters supports the collection of logs from GitHub through an intermediary S3 bucket.
To connect GitHub logs:
Route your GitHub logs into an S3 bucket:
GitHub Enterprise Cloud - Click here to learn how to stream Enterprise Cloud logs from GitHub to S3.
GitHub Enterprise Server - Set up a periodic/continuous logs' stream from the on premise server to an S3 bucket.
Retrieve the following information by following this guide by Github:
Token.
Org.
Complete the process on the Hunters platform, following this guide.
Expected format
Github Audit Logs (Cloud)
Logs are expected in JSON format.
{"action":"git.fetch","_document_id":"ALU1IEsheliktHvAm-RvYA==","actor_location":{"country_code":"US"},"transport_protocol":2,"transport_protocol_name":"ssh","repository":"<repo>/<path>","repo":"<repo>/<path>","repository_public":false,"actor":"jenkins-deployer","org":"<name>","business":"<name>","business_id":3423,"user":"","@timestamp":1642538183423}Github Audit Logs (Server)
Logs are expected in Syslog format.
Mar 1 12:40:42 github-<costumers_name>-<country_code> babeld[17431]: ts=2022-03-01T12:40:42.395820Z pid=1 tid=70 version=52e3281 proto=http id=314174f56617653de832ca869597af56 http_url="/<something>/<something>.git/info/refs?service=git-upload-pack" http_ua="git/2.26.2" ip=10.10.10.10 xff_ip=10.10.10.10 repo=<something>/<something> cmd=git-upload-pack ac_ms=8.561 duration_ms=8.663 sr=1646138442387.153 ss=1646138442395.816 fs_sent=0 fs_recv=0 client_recv=429 client_sent=0 fsc_ms=0.000 gpv=2 log_level=INFO msg="http op done: (401)" http_status=401 handler_code=0 imode=0Github Organization Audit Logs
Logs are expected in JSON format.
{ "@timestamp": 1710000000000, "_document_id": "AAAA-BBBB-CCCC", "action": "workflows.prepared_workflow_job", "business": "business-xxx", "business_id": 123456, "created_at": 1710000000000, "environment_name": "env-xxx", "is_hosted_runner": false, "job_name": "Job Name", "job_workflow_ref": "org/repo/.github/workflows/workflow.example@ref/heads/main", "operation_type": "modify", "org": "org-xxx", "org_id": 111111, "repo": "org/repo", "repo_id": 222222, "runner_group_id": 1, "runner_group_name": "Default", "runner_id": 10, "runner_labels": [ "label-a" ], "runner_name": "runner-xxx", "runner_owner_type": "Repository", "secrets_passed": null, "workflow_run_id": 333333