How to monitor multiple Github orgs with Github Enterprise Audit logs Data connector

Brass Contributor

As stated in the subject, I am trying to figure out how I can monitor multiple organizations using the Github enterprise Audit log Data connector. 

 

Sending logs from an org to sentinel using the connector is very easy, you just generate a personal access token (PAT) and add it in the connector page along with the name of the org. My company currently has multiple orgs, and when I add another key for another Org, it starts sending logs for just the newly added org and ceases logs from the previous org.

 

Is it possible to monitor multiple Orgs with this Data Connector? Also worth mentioning for whatever reason I can't seem to find this connector in the content hub anymore

 

Porter76_0-1694720679979.png

 

7 Replies
Theres 2 ways to go about this,

You can create individual Microsoft Sentinel workspaces for each Org

or

go to the following link and deploy the codeless connector template again and replicate the Github audit connector in your sentinel

https://github.com/Azure/Azure-Sentinel/tree/master/DataConnectors/GitHub

Keep in mind that you will need to change the name(within the template) otherwise it will error out

Hope this helps :)
I was able to succesfully deploy the codeless connector, but the logs coming over are useless. They are missing vital information like what organization an action was taken in. It seems like im only seeing logs related to adding and removing members. This makes me think I may need to edit something that I missed. I was hoping for logs as robust as the connector in content hub.

@Porter76 

 

so with the codeless connector there will be a schema that has been deployed, look for any _CL log that is coming through into your workspace

to get a list of all your tables that you are ingesting into your workspace, run the following query to check

 

search *
| summarize by $table
Also, I managed to deploy the solution, but it is not ingesting security logs, and we are receiving duplicate logs on top of that.
The discussion regarding duplicate logs can be found here in more detail.
https://github.com/Azure/Azure-Sentinel/issues/1384
I raised an issue as a bug. The details can be found at https://github.com/Azure/Azure-Sentinel/issues/9356
I look forward to hearing back from them.
@Porter76I would appreciate it if you could let me know if you found an alternative solution.
Many Thanks
Creating multiple workspaces might work if you have two or three organizations. I have a customer with over 20 organizations. It is clearly not the best solution for us.
We ended up using the log streaming directly from github. We stream to an S3 (there are more options) and then use an azure function to pull the logs into LA and into sentinel. It did require some dev work but it is working for us.
Many Thanks for letting me know. I might try that approach.