Github Logs
Panther supports pulling logs directly from GitHub

Overview

Panther has the ability to fetch Github audit logs by querying the Github API. Panther will query the Github API for new events every 1' minute.
In order to set up Github as a log source in Panther, you'll need to authorize Panther in Github and then set up Github as a log source in Panther. There are two ways to authorize Panther to receive Github audit logs:
  • Create a new OAuth App in Github and provide the app credentials to Panther
  • Generate a Personal Access Token in Github and provide credentials to Panther

How to onboard Github logs to Panther

Option 1: Create a new OAuth App

The steps below can only be performed if you have organization owner permission in your Github organization and a Github Enterprise subscription. If you need to configure multiple integrations for different Github Organizations using the same credentials, you can either use a Personal Access Token or an OAuth2 App that is created on the user account, instead of the Organization account. If any Organizations have enabled OAuth2 App Access Restrictions, the app must be first approved by an Organization admin.
  1. 1.
    Log in to your Github Enterprise account.
  2. 2.
    On the homepage of your organization's account, click on the Settings tab.
  3. 3.
    Scroll to the bottom of the page and click on Developer Settings and then OAuth Apps.
  4. 4.
    Click on Register an application. Fill in the form:
    • Enter a memorable application name into the Name field e.g. Panther Integration.
    • Enter your Panther instance's primary URL into the Homepage URL field e.g. https://test.runpanther.xyz
    • Copy the Redirect URL from Panther and paste into the Authorization Callback URL field.
      • To do this, you will need to log into Panther and set up Github as a log source by following the directions below. Once you've made it to the step where you see a Redirect URL, you can copy it and continue setting up your Github app.
  5. 5.
    Once all necessary fields are filled in, click Register Application.
  6. 6.
    Once the application is registered, you can view the Client ID and generate a new Client Secret. Store them in a secure location – you will need them in the next steps.

Option 2: Generate a personal access token

The steps below can only be performed if you have organization owner permission in your Github organization and a Github Enterprise subscription. You can read more on generating a Personal Access Token in Github here.
  1. 1.
    Log into your Github Enterprise account.
  2. 2.
    Click on your profile then click on the Settings option.
  3. 3.
    Scroll to the bottom of the page and click on Developer Settings and then Personal Access Token.
  4. 4.
    Click Generate new token and enter a memorable token name e.g. Panther Integration.
  5. 5.
    Select the scopes, or permissions, you'd like to grant this token.
    • Check the boxes next to admin:org > read:org.
    • You do not need to enable the write:org permission.
  6. 6.
    Click Generate token.
  7. 7.
    Copy the token and store it in a secure location – you will need it in the next steps.

Create a new Github source in Panther

  1. 1.
    Log in to your Panther Console.
  2. 2.
    In the left sidebar menu, click Integrations > Log Sources.
  3. 3.
    Click Create New.
  4. 4.
    Select Github from the list of available log sources. Click Start Source Setup.
  5. 5.
    On the next screen, enter a memorable name for the source e.g, My Github Audit logs and the name of the Github organization you want to monitor.
  6. 6.
    Click Continue Setup.
  7. 7.
    Authorize Panther to receive logs from Github - depending on the option you chose above, follow the steps below:
    • Use OAuth2 Authorization Flow: Enter the App Client ID and the Client Secret that you acquired from Github. You can find this information on the details page of the OAuth app in your Github account once you register the application.
    • Use a Personal Access Token: Copy the personal access token key and paste it into Personal Access token field.
  8. 8.
    Click Continue Setup.
  9. 9.
    You will be presented with the option to Grant Access.
  10. 10.
    Click Authorize [name of organization].
  11. 11.
    You will be directed to a confirmation screen where you can set up a log drop-off alarm.
    • This feature sends an error message if logs aren't received within a specified time interval.
  12. 12.
    Click Finish Setup.

Panther-Built Detections

The following detections are available for use immediately:
  • Branch Policy Override
  • Branch Protection Disabled
  • Org Auth Modified
  • Org IP Allowlist
  • Org Modified
  • Repo Collaborator Change
  • Repo Created
  • Repo Hook Modified
  • Repo Initial Access
  • Repo Visibility Change
  • Team Modified
  • User Access Key Created
  • User Role Updated
Review the files in the github_rules repository to see how these are built.

Supported log types

Required fields in the schema are listed as "required: true" just below the "name" field.

Github.Audit

The audit log allows organization admins to quickly review the actions performed by members of your organization.
1
schema: GitHub.Audit
2
parser:
3
native:
4
name: GitHub.Audit
5
description: The audit log allows organization admins to quickly review the actions performed by members of your organization.
6
referenceURL: https://docs.github.com/en/organizations/keeping-your-organization-secure/reviewing-the-audit-log-for-your-organization#using-the-rest-api
7
version: 0
8
fields:
9
- name: _document_id
10
description: Document id for the audit log events
11
type: string
12
- name: workflow_id
13
description: Workflow id if the event is CI workflow
14
type: bigint
15
- name: workflow_run_id
16
description: Workflow run id if the event is CI workflow
17
type: bigint
18
- name: '@timestamp'
19
required: true
20
description: Timestamp for the event
21
type: timestamp
22
timeFormat: unix_ms
23
isEventTime: true
24
- name: action
25
required: true
26
description: The action performed
27
type: string
28
- name: actor
29
description: Actor that performed the action
30
type: string
31
indicators:
32
- username
33
- name: created_at
34
description: Creation timestamp for audit event
35
type: timestamp
36
timeFormat: unix_ms
37
- name: completed_at
38
description: Completion timestamp for audit event
39
type: string
40
- name: actor_location
41
description: Actor location
42
type: object
43
fields:
44
- name: country_code
45
required: true
46
description: Country code for the actor's location'
47
type: string
48
- name: org
49
description: The Organization where the action was performed
50
type: string
51
- name: config
52
description: Webhook configuration
53
type: object
54
fields:
55
- name: content_type
56
description: content type for the webhook
57
type: string
58
- name: insecure_ssl
59
description: Boolean value if ssl connection is secure
60
type: string
61
- name: url
62
description: payload URL for webhook
63
type: string
64
- name: config_was
65
description: Previous webhook configuration
66
type: object
67
fields:
68
- name: content_type
69
description: content type for the webhook
70
type: string
71
- name: insecure_ssl
72
description: Boolean value if ssl connection is secure
73
type: string
74
- name: url
75
description: payload URL for webhook
76
type: string
77
- name: hook_id
78
description: Webhook ID
79
type: bigint
80
- name: name
81
description: name of the event action category
82
type: string
83
- name: active
84
description: Webhook is active
85
type: boolean
86
- name: repo
87
description: Name of the repository
88
type: string
89
- name: visibility
90
description: Visibility of the repository
91
type: string
92
- name: events
93
description: List of events which will send webhook payload
94
type: array
95
element:
96
type: string
97
- name: user
98
description: User added/removed for certain permission
99
type: string
100
indicators:
101
- username
102
- name: team
103
description: Team name for team category action
104
type: string
105
- name: event
106
description: Workflow event
107
type: string
108
- name: transport_protocol_name
109
description: Transport protocol name for git audit events
110
type: string
111
- name: transport_protocol
112
description: Transport protocol for git audit events
113
type: int
114
- name: repository
115
description: Repository name for git event
116
type: string
117
- name: repository_public
118
description: If the repository for git audit event is public
119
type: boolean
Copied!
Last modified 18d ago