Configure GitHub Cloud to send data to the Splunk Add-on for GitHub¶
You can collect the data from your GitHub Cloud using the following approaches:
- Utilize GitHub Cloud Log Streaming to collect the data
- To collect the data using this approach, refer to “Configure your GitHub Cloud Audit Log Streaming to send data to Splunk Add-on for GitHub” page for configuring the Splunk Cloud and GitHub Cloud Audit Log Streaming
- Utilize Add-on inputs to collect the data
- To collect the data using this approach, see the following to configure Account and Inputs
Collect data using the add-on inputs¶
Before you follow the instructions on this page to set up the Splunk Add-on for Github, obtain your Personal Access Token from Github Cloud. See your GitHub Documentation for more information.
Behavior of Audit logs API¶
- Audit logs list events triggered by the activities that affect your enterprise.
- By Default, APIs will collect audit data from the past three months. The APIs retain Git events such as cloning, fetching, and pushing data for seven days.
Steps to configure an Account in Github¶
- In Splunk Web, go to the Splunk Add-on for Github, by clicking the name of this add-on on the left navigation banner or by going to Manage Apps, then clicking Launch App in the row for the Splunk Add-on for Github.
- Click the Configuration tab.
- Click the Github Account tab.
In the Add dialogue box, fill in the required fields:
| Field | Description |
|---|---|
| Account Name | A unique name for your Github account. |
| Personal Access Token | The token you generated on Github Cloud. Next, configure your inputs. |
(Optional) Change logging level¶
You can change the default log level () to see more granular logs such as debug or more generic logs such as only error logs. The logging level can be configured using the steps below.
- On Splunk Web, go to the Splunk Add-on for Github, either by clicking the name of this add-on on the left navigation banner or by going to Manage Apps, then clicking Launch App in the row for the Splunk Add-on for Github.
- Click the Configuration tab.
- Click the Logging tab.
- Select a new logging level from the drop-down menu.
- Click Save to save your configurations.
(Optional) Proxy setup¶
If you have proxy set up for data collection, the proxy settings can be configured by providing the details so that the data will be collected via the configured proxy.
- On Splunk Web, go to the Splunk Add-on for Github, either by clicking the name of this add-on on the left navigation banner or by going to Manage Apps, then clicking Launch App in the row for the Splunk Add-on for Github.
- Click the Configuration tab.
- Click the Proxy tab.
- Check Enable and fill in the required fields.
Github Audit Input¶
Data will be collected in github:cloud:audit source type. The fields present in the Input are as below:
| Field | Type | Description |
|---|---|---|
| Name | Textbox | Unique Input Name |
| Event Type | Dropdown | Specifies the type of events to be collected: web - web (non-Git) events, git - Git events, all - both web and Git events |
| Account Type | Dropdown | The type of account for which you want to collect the data, i.e., Organization or Enterprise. This field becomes uneditable once you save the input successfully, to change this you can create a new input with the correct account type. |
| Organization /Enterprise Name | Textbox | Enter a valid name of Organization or Enterprise |
| Github Account | Dropdown | Select the account from the created Accounts in Configuration |
| Interval | Textbox | Enter the interval for consecutive invocations in seconds |
| Index | Textbox | Enter the index name in which you want to collect the data |
| Start Date | Textbox | Date to start the data collection from. Accepted in specified format - YYYY-MM-DDTHH:MM:SS |
To collect the audit-logs, the user should have the admin access of the organization/enterprise and read:audit_log scope for the Personal Access Token.
Github User Input¶
Data will be collected in github:cloud:user source type. The fields present in the Input are as below:
| Field | Type | Description |
|---|---|---|
| Name | Textbox | Unique Input Name |
| Github Account | Dropdown | Select the account from the created Accounts in Configuration |
| Organization /Enterprise Name | Textbox | Enter a valid name of Organization or Enterprise |
| Interval | Textbox | Enter the interval for consecutive invocations in seconds |
| Index | Textbox | Enter the index name in which you want to collect the data |
To collect the user data, the user should be a member of the organization and read:org scope for the Personal Access Token
Github Alerts Input¶
Data is collected specifcally using these sourcetypes:
- Code Scanning Alert: github:cloud:code:scanning:alerts
- Dependabot Scanning Alert: github:cloud:dependabot:scanning:alerts
- Secret Scanning Alert github:cloud:secret:scanning:alerts
The fields in the Input are as follows:
| Field | Type | Description |
|---|---|---|
| Name | Textbox | Unique Input Name |
| Account Type | Dropdown | The type of account for which you want to collect the data, i.e., Organization or Enterprise. This field becomes uneditable once you save the input successfully, and to change this you can create a new input with the correct account type. |
| Organization /Enterprise Name | Textbox | Enter a valid name of the Organization or Enterprise. |
| Github Account | Dropdown | Select the account from the created Accounts in Configuration |
| Alert Type | Dropdown | Select the appropriate alert type for the events you want to ingest, such as: Code Scanning Alerts, Dependabot Scanning Alerts, Secret Scanning Alerts Splunk selects the “Code Scanning Alerts” by default. This field becomes uneditable once you successfully save the input. You must create a new input with the correct Alert type to change this field. |
| State | Dropdown | The state in which you want to collect Code Scanning Alerts. Select Open, Closed, Dismissed, Fixed, or All from the list. By default, the “All” option will be considered |
| Severity | Dropdown | Visible only when the user selects “Organization” Account Type. The severity in which you want to collect Code Scanning Alerts. Select Critical, High, Medium, Low, Note, Error, or All from the list. By default, the All option will be considered. |
| Interval | Textbox | Enter the interval for consecutive invocations in seconds |
| Index | Textbox | Enter the index name in which you want to collect the data |
| Dependabot Alert Severity | Multi Select Dropdown | The severity in which you want to collect Dependabot Scanning Alerts. Visible only when the user selects “Dependabot Scanning Alert” from Alert Type dropdown. Select Critical, High, Medium, Low, and All from the list. By default, the All option will be considered. |
| Dependabot Alert State | Multi Select Dropdown | The state in which you want to collect Dependabot Scanning Alerts. Visible only when the user selects “Dependabot Scanning Alert” from Alert Type dropdown. Select auto_dismissed, open, dismissed, fixed, or All from the list. By default, the All option will be considered. |
| Dependaboth Alert Ecosystem | Multi Select Dropdown | The Ecosystem for which you want to collect Dependabot Scanning Alerts. Visible only when the user selects “Dependabot Scanning Alert” from Alert Type dropdown. Select rust, rubygems, pip, pub, nuget, maven, composer, go, npm, or All from the list. By default, the “All” option will be considered. |
| Dependabot Alert Scope | Dropdown | Select scope of the alerts to be ingested. Visible only when the user selects “Dependabot Scanning Alert” from Alert Type dropdown. Select development or runtime or All from the list. By default, the “All” option will be considered. |
| Secret Scanning Alerts Resolution | Multi Select Dropdown | The resolution in which you want to collect Secret Scanning Alerts. Visible only when the user selects “Secret Scanning Alert” from Alert Type dropdown. Select false_positive, wont_fix, revoked, pattern_edited, pattern_deleted, used_in_tests and All from the list. By default, the “All” option will be considered. |
| Secret Scanning Alerts Validity | Multi Select Dropdown | The Secret Scanning Alerts Validity in which you want to collect Secret Scanning Alerts. Visible only when the user selects “Secret Scanning Alert” from Alert Type dropdown. Select active, inactive ,unknown or All from the list. By default, the All option will be considered. |
| Secret Scanning State | Dropdown | The Secret Scanning Alerts state in which you want to collect Secret Scanning Alerts. Visible only when the user selects “Secret Scanning Alert” from Alert Type dropdown. Select Open or Resolved from the list. By default, the Open option will be considered. |
The fields that will be uneditable in the modinput are:
- Input Name
- Account Name
- Account Type
- Organization/Enterprise name
- State
- Severity
- Alert Type
- Dependabot Alert Severity
- Dependabot Alert State
- Ecosystem
- Dependabot Alert Scope
- Secret Scanning Alerts Resolution
- Secret Scanning Alerts and Validity
- Secret Scanning State
To collect code scanning alerts, the user should have admin access to the organization/enterprise and security_events or repo (for private or public repositories) or public_repo (for public repositories) scope for the Personal Access Token.
To collect Dependabot and secret scanning alerts, the user must be a member of Enterprise and an authenticated user of an organization owner. OAuth app tokens and personal access tokens (classic) need the security_events or repo to use this endpoint.
Validate data collection¶
Once you have configured the input, run this search to check that you are ingesting the correct expected data.
sourcetype=github:cloud:audit OR sourcetype=github:cloud:user OR souretype=github:cloud:code:scanning:alertsORgithub:cloud:dependabot:scanning:alerts OR github:cloud:secret:scanning:alerts