GitHub
Scanner supports GitHub audit logs, which contain detailed records of actions performed within an organization's GitHub account. In order for Scanner to see these logs, you can configure GitHub to publish them to S3.
Step 1: Configure GitHub to stream audit logs to S3
GitHub Enterprise users can configure GitHub to export audit logs directly to S3. You can follow the GitHub documentation to accomplish this. See: Setting up streaming to Amazon S3.
Step 2: Link your S3 bucket to Scanner
If you haven't done so already, link the S3 bucket containing your GitHub audit logs to Scanner using the Linking AWS Accounts guide.
Step 3: Set up an S3 Import Rule in Scanner
Within Scanner, navigate to Settings > S3 Import Rules.
Click Create Rule.
For Rule name, type a name like
my_team_name_github_audit_logs
.For Destination Index, choose the index where you want these logs to be searchable in Scanner.
For Status, set to Active if you want to start indexing the data immediately.
For Source Type, we recommend
github:audit
, but you are free to choose any name. However, out-of-the-box detection rules will expectgithub:audit
.For AWS Account, choose the account that contains the S3 bucket containing GitHub audit logs.
For S3 Bucket, choose the S3 bucket containing GitHub audit logs.
For S3 Key Prefix, type the prefix (i.e. directory path) where the GitHub is writing logs.
For File type, choose JsonLines with Gzip compression.
For Timestamp extractors, under Column name, type
created
. This is the field in each log event that contains the timestamp information.Click Preview rule to try it out. Check that the S3 keys you expect are appearing, and check that the log events inside are being parsed properly with the timestamp detected properly.
When you're ready, click Create.
Last updated