How to monitor multiple Github orgs with Github Enterprise Audit logs Data connector

Question

As stated in the subject, I am trying to figure out how I can monitor multiple organizations using the Github enterprise Audit log Data connector.

Sending logs from an org to sentinel using the connector is very easy, you just generate a personal access token (PAT) and add it in the connector page along with the name of the org. My company currently has multiple orgs, and when I add another key for another Org, it starts sending logs for just the newly added org and ceases logs from the previous org.

Is it possible to monitor multiple Orgs with this Data Connector? Also worth mentioning for whatever reason I can't seem to find this connector in the content hub anymore

porter76 · Answer

We ended up using the log streaming directly from github. We stream to an S3 (there are more options) and then use an azure function to pull the logs into LA and into sentinel. It did require some dev work but it is working for us.

billclarksonantill · Answer

Theres 2 ways to go about this,You can create individual Microsoft Sentinel workspaces for each Orgorgo to the following link and deploy the codeless connector template again and replicate the Github audit connector in your sentinelhttps://github.com/Azure/Azure-Sentinel/tree/master/DataConnectors/GitHubKeep in mind that you will need to change the name(within the template) otherwise it will error outHope this helps 🙂

porter76 · Answer

I was able to succesfully deploy the codeless connector, but the logs coming over are useless. They are missing vital information like what organization an action was taken in. It seems like im only seeing logs related to adding and removing members. This makes me think I may need to edit something that I missed. I was hoping for logs as robust as the connector in content hub.

billclarksonantill · Answer

Porter76&nbsp;&nbsp;so with the codeless connector there will be a schema that has been deployed, look for any _CL log that is coming through into your workspaceto get a list of all your tables that you are ingesting into your workspace, run the following query to check&nbsp;search *
| summarize by $table

sergei2435 · Answer

Also, I managed to deploy the solution, but it is not ingesting security logs, and we are receiving duplicate logs on top of that.
The discussion regarding duplicate logs can be found here in more detail.
https://github.com/Azure/Azure-Sentinel/issues/1384
I raised an issue as a bug. The details can be found at https://github.com/Azure/Azure-Sentinel/issues/9356
I look forward to hearing back from them.
Porter76I would appreciate it if you could let me know if you found an alternative solution.
Many Thanks

Forum Discussion

How to monitor multiple Github orgs with Github Enterprise Audit logs Data connector

Share

Resources