elastic / integrations

Elastic Integrations
https://www.elastic.co/integrations
Other
21 stars 436 forks source link

[GitHub] Support Ingest of GitHub Audit Logs via Azure Event Hub Audit Log Streaming #5507

Open SpencerLN opened 1 year ago

SpencerLN commented 1 year ago

The current GitHub integration requires enterprise/organization owner privileges to ingest the audit log data. To avoid a service account with these privileges, we utilize the audit log streaming feature in GitHub to send the logs to an Azure Event Hub and then ingest the logs with the Azure Event Hub Filebeat input. Ideally, we would like to be able to utilize the GitHub integration package with data streaming instead of httpjson.

elasticmachine commented 1 year ago

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

jamiehynds commented 1 year ago

@kcreddy do you know if this is just a matter of adding the Event Hub input to the package or is there some complexity involved?

kcreddy commented 1 year ago

Hey @jamiehynds ,

do you know if this is just a matter of adding the Event Hub input to the package or is there some complexity involved?

Yes that should do it. I also see some more inputs that could be aded: https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-audit-log-streaming