If you work in an enterprise environment, audit and compliance considerations often factor heavily into system design. Starting today, if you’re a GitHub Enterprise Cloud customer, you can set up a stream of audit log and Git events to Splunk or an Azure Event Hub. The stream forwards every one of these events in near real time, and retains data for playback for up to seven days in case you need to pause data collection.
We want enterprise administrators to be able to use the right tools for the job they need to do, whether that be short term investigation or longer term threat analysis and prevention. Earlier this year we released the audit log and Git events API to help with immediate short-term needs. With audit log streaming, no audit log event will be lost. You will be able to satisfy longer term data retention goals by storing streamed events within your own data collection systems. Analysis tools become more powerful as the dataset grows, making the Security Information and Event Management (SIEM) tool of your choosing the best place to parse GitHub audit log and Git events for months and years to come.
The majority of the events that will be generated by any enterprise will be Git events. The best ways to look at these events will be with our API and with the streaming capability, but the API will only return Git events data for the previous seven days. With audit log streaming, GitHub Enterprise Cloud customers will have the opportunity to look for patterns in Git activity for as long as they choose to retain that data. As you can see from the following examples, the metadata within these events are the same for both the API and for the streaming payload. The only differences are data retention period and tool choice.
A common pattern we expect to see will be users filtering on events related to a specific GitHub organization. In the audit log streaming feature, this will work just like you’ve come to expect from the UI and API where you can filter on
org="organization-name" to get results specifically pertaining to
organization-name. If you’re a Splunk user, this is how you would do that in the Splunk web client:
You can also use Splunk’s add-on for GitHub to see other use cases and dashboards.
While we are in public beta, we will expand the number of options you have for where you can stream your audit and Git events while also improving the administrative experience within GitHub. You may not know what analysis tools you want to use today, but that shouldn’t stop you from setting up a stream right away. If this sounds like your use case, we will be adding support for these popular cloud storage systems to make it easier to get started:
Additionally, we are looking to add support for more SIEM partners and deeper integrations with threat prevention tools like Azure Sentinel.
In order to understand the current state of your stream, we will be adding more status and error handling information, in addition to other user interface improvements as we add more supported integrations. If you run into any trouble or have questions, please contact firstname.lastname@example.org.
Set up your stream in minutes by following our documentation, navigating to your enterprise account settings under the audit log tab, and configuring your collection endpoint.