Links

GitHub Logs

Panther supports pulling GitHub logs directly and audit log streaming

Overview

Panther supports the following methods of ingesting audit logs from GitHub:

How to onboard GitHub Organization logs to Panther

Your Github Organization needs to be part of a Github Enterprise Cloud deployment. The Github Enterprise Server self-hosted option is not yet supported.
In order to set up Github as a log source in Panther, you'll need to authorize Panther in Github and then set up Github as a log source in Panther.
There are two ways to authorize Panther to receive Github audit logs:

Option 1: Create a new OAuth App

The steps below can only be performed if you have organization owner permission in your Github organization and a Github Enterprise subscription. If you need to configure multiple integrations for different Github Organizations using the same credentials, you can either use a Personal Access Token or an OAuth2 App that is created on the user account, instead of the Organization account. If any Organizations have enabled OAuth2 App Access Restrictions, the app must be first approved by an Organization admin.
  1. 1.
    Log in to your Github Enterprise account.
  2. 2.
    On the homepage of your organization's account, click on the Settings tab.
  3. 3.
    Scroll to the bottom of the page and click on Developer Settings and then OAuth Apps.
  4. 4.
    Click on Register an application. Fill in the form:
    • Enter a memorable application name into the Name field e.g. Panther Integration.
    • Enter your Panther instance's primary URL into the Homepage URL field e.g. https://test.runpanther.xyz
    • Copy the Redirect URL from Panther and paste into the Authorization Callback URL field.
      • To do this, you will need to log into Panther and set up Github as a log source by following the directions below. Once you've made it to the step where you see a Redirect URL, you can copy it and continue setting up your Github app.
  5. 5.
    Once all necessary fields are filled in, click Register Application.
  6. 6.
    Once the application is registered, you can view the Client ID and generate a new Client Secret. Store them in a secure location – you will need them in the next steps.

Option 2: Generate a personal access token

The steps below can only be performed if you have organization owner permission in your Github organization and a Github Enterprise subscription. You can read more on generating a Personal Access Token in Github here.
  1. 1.
    Log in to your Github Enterprise account.
  2. 2.
    Click on your profile then click on the Settings option.
  3. 3.
    Scroll to the bottom of the page and click on Developer Settings and then Personal Access Token.
  4. 4.
    Click Generate new token and enter a memorable token name e.g. Panther Integration.
  5. 5.
    Select the scopes, or permissions, you'd like to grant this token.
    • Check the boxes next to admin:org > read:org.
    • You do not need to enable the write:org permission.
  6. 6.
    Click Generate token.
  7. 7.
    Copy the token and store it in a secure location – you will need it in the next steps.

Create a new Github source in Panther

  1. 1.
    Log in to your Panther Console.
  2. 2.
    In the left sidebar menu, click Configure > Log Sources.
  3. 3.
    Click Create New.
  4. 4.
    Select Github from the list of available log sources. Click Start Source Setup.
  5. 5.
    On the next screen, enter a descriptive name for the source e.g, My Github Audit logs and the name of the Github organization you want to monitor.
  6. 6.
    Click Continue Setup.
  7. 7.
    Authorize Panther to receive logs from Github - depending on the option you chose above, follow the steps below:
    • Use OAuth2 Authorization Flow: Enter the App Client ID and the Client Secret that you acquired from Github. You can find this information on the details page of the OAuth app in your Github account once you register the application.
    • Use a Personal Access Token: Copy the personal access token key and paste it into Personal Access token field.
  8. 8.
    Click Continue Setup.
  9. 9.
    You will be presented with the option to Grant Access.
  10. 10.
    Click Authorize [name of organization].
    • You will be directed to a success screen:
      A screen in the Panther Console displays the message "Everything looks good!"
  11. 11.
    To finish the source setup:
    1. 1.
      Optionally configure a log drop-off alarm.
      • Before you finish the setup, we recommend that you create a log drop-off alarm to alert you if data stops flowing from the log source. Be sure to set an appropriate time interval for when you would like Panther to alert you that the log source is not sending data.
    2. 2.
      Optionally enable a Detection Pack.
    3. 3.
      Click Finish Setup.

How to onboard GitHub logs via audit log streaming to Panther

Panther's support for GitHub audit log streaming is in closed beta as of v1.52. Please reach out to your Panther Support team if you are interested in participating in the beta.
There are two steps to configure GitHub audit log streaming with Panther:
  1. 1.
    Set up audit log streaming from GitHub to a storage destination.
  2. 2.
    Create a new GitHub Audit Log Streaming source in Panther.
Audit log streaming must be configured in GitHub by your GitHub enterprise owner

Step 1: Set up audit log streaming from GitHub to a storage destination

Panther supports ingesting GitHub audit log streaming data from two storage destinations:
  • AWS S3
  • Google Cloud GCS
Choose a storage destination above, then follow GitHub's documentation on how to configure audit log streaming to that location. For S3, follow the instructions here. For GCS, the instructions are found here.

Step 2: Create a new GitHub audit log streaming source in Panther

  1. 1.
    Log in to your Panther Console.
  2. 2.
    In the left sidebar menu, click Configure > Log Sources.
  3. 3.
    Click Create.
  4. 4.
    Search for GitHub. Select the GitHub Audit Log Streaming tile.
    In the Panther Console, the Configure > Log Sources > Add New Sources screen shows a search for 'github.' Two tiles are populated, GitHub API and GitHub Audit Log Streaming. There is a red selector box around the latter.
  5. 5.
    Select either S3 or GCS, depending on the transport method you chose.
  6. 6.
    Follow the onboarding process for your chosen destination method:

Panther-Built Detections

Querying logs in Data Explorer

To see examples of querying Github logs in Panther's Data Explorer, see Github Audit logs queries.

Supported log types

Required fields in the schema are listed as "required: true" just below the "name" field.

Github.Audit

The audit log allows organization administrators to quickly review actions performed by members of your organization. For more information, see GitHub's documentation on accessing audit logs.
schema: GitHub.Audit
parser:
native:
name: GitHub.Audit
description: The audit log allows organization admins to quickly review the actions performed by members of your organization.
referenceURL: https://docs.github.com/en/organizations/keeping-your-organization-secure/reviewing-the-audit-log-for-your-organization#using-the-rest-api
fields:
- name: _document_id
description: Document id for the audit log events
type: string
- name: workflow_id
description: Workflow id if the event is CI workflow
type: bigint
- name: workflow_run_id
description: Workflow run id if the event is CI workflow
type: bigint
- name: action
required: true
description: The action performed
type: string
- name: actor
description: Actor that performed the action
type: string
indicators:
- username
- name: created_at
description: Creation timestamp for audit event
type: timestamp
timeFormats:
- unix_ms
isEventTime: true
- name: '@timestamp'
description: Timestamp for the event
type: timestamp
timeFormats:
- unix_ms
isEventTime: true
- name: completed_at
description: Completion timestamp for audit event
type: string
- name: actor_location
description: Actor location
type: object
fields:
- name: country_code
required: true
description: Country code for the actor's location'
type: string
- name: country_name
description: Country name for the actor's location
type: string
- name: region
description: Region code of where this action originated from
type: string
- name: region_name
description: Region name of where this action originated from
type: string
- name: city
description: Name of the city where this action originated from
type: string
- name: postal_code
description: Postal code where this action originated from
type: string
- name: location
description: Actor's location in longitude/latitude
type: object
fields:
- name: lat
description: Latitude field
type: float
- name: lon
description: Longitude field
type: float
- name: org
description: The Organization where the action was performed
type: string
- name: config
description: Webhook configuration
type: object
fields:
- name: content_type
description: content type for the webhook
type: string
- name: insecure_ssl
description: Boolean value if ssl connection is secure
type: string
- name: url
description: payload URL for webhook
type: string
- name: config_was
description: Previous webhook configuration
type: object
fields:
- name: content_type
description: content type for the webhook
type: string
- name: insecure_ssl
description: Boolean value if ssl connection is secure
type: string
- name: url
description: payload URL for webhook
type: string
- name: hook_id
description: Webhook ID
type: bigint
- name: name
description: name of the event action category
type: string
- name: active
description: Webhook is active
type: boolean
- name: repo
description: Name, or names of the repositories involved in the action
type: json
- name: visibility
description: Visibility of the repository
type: string
- name: events
description: List of events which will send webhook payload
type: array
element:
type: string
- name: user
description: User added/removed for certain permission
type: string
indicators:
- username
- name: team
description: Team name for team category action
type: string
- name: event
description: Workflow event
type: string
- name: transport_protocol_name
description: Transport protocol name for git audit events
type: string
- name: transport_protocol
description: Transport protocol for git audit events
type: int
- name: repository
description: Repository name for git event
type: string
- name: repository_public
description: If the repository for git audit event is public
type: boolean
- name: business_id
description: ID of the enterprise affected by the action (if applicable)
type: bigint
- name: number
description: Number field
type: bigint
- name: active_was
description: Webhook was active
type: boolean
- name: actor_id
description: The id of the actor who performed the action
type: bigint
- name: blocked_user
description: The username of the account being blocked
type: string
indicators:
- username
- name: business
description: The name of the business that relates to this action
type: string
- name: content_type
description: Type of content
type: string
- name: data
description: Additional data related to this action
type: json
- name: deploy_key_fingerprint
description: Fingerprint of deploy key
type: string
- name: emoji
description: Emoji that relates to this action
type: string
- name: events_were
description: List of events which were sent
type: array
element:
type: json
- name: explanation
description: An explanation of the action
type: string
- name: fingerprint
description: Fingerprint related to this action
type: string
- name: limited_availability
description: Limited availability
type: boolean
- name: message
description: Message related to this action
type: string
- name: old_user
description: The old user related to this action
type: string
- name: openssh_public_key
description: Public Open SSH key related to this action
type: string
- name: operation_type
description: Type of operation
type: string
- name: org_id
description: The Organization ID where the action was performed
type: string
- name: previous_visibility
description: Visibility of repository prior to this action
type: string
- name: read_only
description: Whether the item related to this action is read only
type: boolean
- name: target_login
description: Target login
type: string
- name: user_id
description: User ID
type: bigint
- name: actor_ip
description: Actor IP (only included if explicitly enabled in your GitHub settings https://docs.github.com/en/enterprise-[email protected]/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/displaying-ip-addresses-in-the-audit-log-for-your-enterprise)
type: string
indicators:
- ip
- name: hashed_token
description: Hash of the token used to perform this action (see https://docs.github.com/en/enterprise-[email protected]/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/identifying-audit-log-events-performed-by-an-access-token#searching-on-github)
type: string
- name: actor_session
description: Actor's session ID
type: bigint
- name: branch
description: Branch that relates to this action
type: string
- name: category_type
description: Type of category this action is from
type: string
- name: client_id
description: ID of the client being used in this action
type: string
- name: conclusion
description: Workflow run conclusion
type: string
- name: controller_action
description: Action of the controller
type: string
- name: device_cookie
description: Cookie of the actor's session from this action
type: string
- name: environment_name
description: Environment name of workflow
type: string
- name: fork_source
description: Source repository of this fork
type: string
- name: fork_source_id
description: Source repository ID of this fork
type: bigint
- name: from
description: Namespace that this action is from
type: string
- name: head_branch
description: Name of branch of the head at the time of this workflow run
type: string
- name: head_sha
description: SHA hash of the head at the time of this workflow run
type: string
indicators:
- sha1
- name: is_hosted_runner
description: Whether the workflow runner is hosted
type: boolean
- name: job_name
description: Name of workflow job
type: string
- name: job_workflow_ref
description: Reference of workflow job
type: string
- name: key
description: Name of key related to this action
type: string
- name: method
description: HTTP Method of this action
type: string
- name: programmatic_access_type
description: The type of access for programmatic actions
type: string
- name: public_repo
description: Whether the repository for git audit event is public
type: boolean
- name: referrer
description: Referrer URL of where this action took place
type: string
indicators:
- url
- name: repo_id
description: Repository ID related to this action
type: bigint
- name: repositories_removed
description: IDs of Repositories that were removed in this action
type: array
element:
type: bigint
- name: repositories_removed_names
description: Names of Repositories that were removed in this action
type: array
element:
type: string
- name: repository_selection
description: Type of selection for this action related to the repository
type: string
- name: request_category
description: Category of this request
type: string
- name: request_id
description: ID of this action's request
type: string
- name: run_attempt
description: Workflow run attempt
type: bigint
- name: run_number
description: Workflow run number
type: bigint
- name: runner_id
description: ID of this workflow runner
type: bigint
- name: runner_group_id
description: ID of workflow runner group
type: bigint
- name: runner_group_name
description: Name of workflow runner group
type: string
- name: runner_labels
description: List of labels of this workflow
type: array
element:
type: string
- name: runner_name
description: Name of the Workflow runner of this action
type: string
- name: secrets_passed
description: List of names of secrets passed to this workflow action
type: json
- name: server_id
description: ID of the Enterprise Server
type: string
- name: started_at
description: Time that the workflow started
type: timestamp
timeFormats:
- rfc3339
- name: token_id
description: ID of the token used in this action
type: bigint
- name: topic
description: Topic related to workflow run
type: string
- name: trigger_id
description: ID of Trigger that triggered this workflow
type: bigint
- name: url
description: URL where this action took place
type: string
indicators:
- url
- name: user_agent
description: User agent of the actor who performed this action
type: string
Last modified 10d ago