Microsoft Sentinel – continuous threat monitoring for GitHub

Earlier this month (December 2021), Microsoft Sentinel announced its new solution for continuous monitoring for GitHub using Microsoft Sentinel. GitHub allows you to host, manage, and control different versions of software development using Git. It is highly important to track the different activities in the company’s GitHub repository, to identify suspicious events, and to have the ability to investigate anomalies in the environment.  

Today, together with Microsoft Sentinel, you can connect your enterprise-licensed GitHub repository environment to the Microsoft Sentinel workspace and ingest the GitHub audit log – tracking events such as new repository creation or deletion, counting the number of repository clones, and more. 

The continuous threat monitoring for GitHub solution contains out-of-the-box content, installed automatically to your Microsoft Sentinel workspace when you deploy the solution. The out-of-the-box content includes analytics rules and one workbook. We’re continuing to add more content to enrich the solution. 

For example, this screenshot is from our demo environment. You can see four different analytics rules: 

1. Repository was created – this alert is triggered each time a repository is created in the GitHub environment that is connected to the Microsoft Sentinel workspace. In addition to the repository name, we get the actor who created this repository, so there’s an option to track the repositories and who is creating them. 

1. Repository was destroyed – this alert is triggered each time a repository is destroyed in the GitHub environment. It’s critical to track the repositories being destroyed in order to verify that the users destroying repositories have the correct permissions, and these actions are not part of  a malicious activity. 

1. A payment method was removed – this alert is critical to know about and is triggered each time there’s an action with the payment method configured for the GitHub repository. It’s important to know when the payment method is removed in order to validate who performed the action and that you’re aware of the issue. 

1. OAuth application – this alert is triggered each time a client secret was removed, which is another high-priority alert that you should be aware of. In case a secret is accidentally exposed, you’ll want to ensure that the old secret can be removed.  

In addition to the out-of-the-box analytics rules, the solution contains a workbook that visualizes the data. The following screenshot is from our demo environment, and contains four different charts: 

• Members that were added or removed from the GitHub repository 
• Repositories created – contains repository name and actor who created them. 
• Fork count by repository over time  
• Clone count by repository over time 

Use the time range parameter to select the time window to investigate, from the last 90 days to the last 24 hours, or even less than that. 

Behind each chart is a KQL query, which you can customize and add to other charts, depending on your organization’s needs. 

To connect the GitHub connector to the Microsoft Sentinel environment, start in Microsoft Sentinel, selecting the workspace where you want to ingest the GitHub logs. Select Content hub and search for Continuous Threat Monitoring for GitHub. Select this solution and deploy it: 

To connect your enterprise-licensed repository, provide a GitHub access token. If you need to generate a new one, use this link. Then, find the deployed GitHub connector under Data connectors in Microsoft Sentinel: 

Enter your GitHub access token and select Connect.

For more information, see: 

• What's new in Microsoft Sentinel | Microsoft Docs 
• Find your Microsoft Sentinel data connector | Microsoft Docs (Data connector reference) 
• Microsoft Sentinel content hub catalog | Microsoft Docs (Solution reference)