Forum Discussion

Porter76's avatar
Porter76
Brass Contributor
Sep 14, 2023

How to monitor multiple Github orgs with Github Enterprise Audit logs Data connector

As stated in the subject, I am trying to figure out how I can monitor multiple organizations using the Github enterprise Audit log Data connector. 

 

Sending logs from an org to sentinel using the connector is very easy, you just generate a personal access token (PAT) and add it in the connector page along with the name of the org. My company currently has multiple orgs, and when I add another key for another Org, it starts sending logs for just the newly added org and ceases logs from the previous org.

 

Is it possible to monitor multiple Orgs with this Data Connector? Also worth mentioning for whatever reason I can't seem to find this connector in the content hub anymore

 

 

data collection
Log Data
siem

7 Replies

  • BillClarksonAntill's avatar
    BillClarksonAntill
    Iron Contributor
    Sep 15, 2023
    Theres 2 ways to go about this,

    You can create individual Microsoft Sentinel workspaces for each Org

    or

    go to the following link and deploy the codeless connector template again and replicate the Github audit connector in your sentinel

    https://github.com/Azure/Azure-Sentinel/tree/master/DataConnectors/GitHub

    Keep in mind that you will need to change the name(within the template) otherwise it will error out

    Hope this helps 🙂
    • Sergei2435's avatar
      Sergei2435
      Brass Contributor
      Nov 09, 2023
      Creating multiple workspaces might work if you have two or three organizations. I have a customer with over 20 organizations. It is clearly not the best solution for us.
    • Porter76's avatar
      Porter76
      Brass Contributor
      Sep 15, 2023
      I was able to succesfully deploy the codeless connector, but the logs coming over are useless. They are missing vital information like what organization an action was taken in. It seems like im only seeing logs related to adding and removing members. This makes me think I may need to edit something that I missed. I was hoping for logs as robust as the connector in content hub.
      • Sergei2435's avatar
        Sergei2435
        Brass Contributor
        Nov 09, 2023
        Also, I managed to deploy the solution, but it is not ingesting security logs, and we are receiving duplicate logs on top of that.
        The discussion regarding duplicate logs can be found here in more detail.
        https://github.com/Azure/Azure-Sentinel/issues/1384
        I raised an issue as a bug. The details can be found at https://github.com/Azure/Azure-Sentinel/issues/9356
        I look forward to hearing back from them.
        Porter76I would appreciate it if you could let me know if you found an alternative solution.
        Many Thanks

Resources