Earlier this month (December 2021), Microsoft Sentinel announced its new solution for continuous monitoring for GitHub using Microsoft Sentinel. GitHub allows you to host, manage, and control different versions of software development using Git. It is highly important to track the different activities in the company’s GitHub repository, to identify suspicious events, and to have the ability to investigate anomalies in the environment.
Today, together with Microsoft Sentinel, you can connect your enterprise-licensed GitHub repository environment to the Microsoft Sentinel workspace and ingest the GitHub audit log – tracking events such as new repository creation or deletion, counting the number of repository clones, and more.
The continuous threat monitoring for GitHub solution contains out-of-the-box content, installed automatically to your Microsoft Sentinel workspace when you deploy the solution. The out-of-the-box content includes analytics rules and one workbook. We’re continuing to add more content to enrich the solution.
For example, this screenshot is from our demo environment. You can see four different analytics rules:
In addition to the out-of-the-box analytics rules, the solution contains a workbook that visualizes the data. The following screenshot is from our demo environment, and contains four different charts:
Use the time range parameter to select the time window to investigate, from the last 90 days to the last 24 hours, or even less than that.
Behind each chart is a KQL query, which you can customize and add to other charts, depending on your organization’s needs.
To connect the GitHub connector to the Microsoft Sentinel environment, start in Microsoft Sentinel, selecting the workspace where you want to ingest the GitHub logs. Select Content hub and search for Continuous Threat Monitoring for GitHub. Select this solution and deploy it:
To connect your enterprise-licensed repository, provide a GitHub access token. If you need to generate a new one, use this link. Then, find the deployed GitHub connector under Data connectors in Microsoft Sentinel:
Enter your GitHub access token and select Connect.
For more information, see:
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.