Open SpencerLN opened 1 year ago
Pinging @elastic/security-external-integrations (Team:Security-External Integrations)
@kcreddy do you know if this is just a matter of adding the Event Hub input to the package or is there some complexity involved?
Hey @jamiehynds ,
do you know if this is just a matter of adding the Event Hub input to the package or is there some complexity involved?
Yes that should do it. I also see some more inputs that could be aded: https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-audit-log-streaming
The current GitHub integration requires enterprise/organization owner privileges to ingest the audit log data. To avoid a service account with these privileges, we utilize the audit log streaming feature in GitHub to send the logs to an Azure Event Hub and then ingest the logs with the Azure Event Hub Filebeat input. Ideally, we would like to be able to utilize the GitHub integration package with data streaming instead of httpjson.