Introducing GitHub Advanced Security SIEM integrations for security professionals
Learn about using GitHub Advanced Security (GHAS) alerts with Security Information and Events Management (SIEM) tools. Check out the integrations, and read more about getting started.
This post was updated on March 15, 2023 to include the addition of Panther to our list of Security Information and Event Management (SIEM) providers.
GitHub Advanced Security (GHAS) is a developer-first application security platform. GitHub provides the Security Overview page for a high-level view of the security status of their organization or to identify problematic repositories that requires intervention. However, security operations professionals may want to run more powerful queries, create customized dashboards and visualizations, or desire to join GitHub alerts with additional data from environment logs. To meet these needs we’re excited to announce our integrations with security information and event management (SIEM) providers, Splunk, Microsoft Sentinel, DataDog, Elastic, Sumo Logic, and Panther. With these integrations, GHAS data can be easily exported to external reporting SIEM tools, enabling users to improve their security posture by increasing visibility into application security events.
By integrating GHAS with a SIEM solution, you can stitch together findings identified within the GitHub platform with other data, such as a Configuration Management Database (CMDB), user directory, or asset attribution system. This allows you to see events from your GHAS environment within the risk-based context of your business data. Some examples include:
- Severe vulnerabilities in your high-profile or user-facing applications
- A count of security alerts for each business unit
- Secrets resolved on a per-team basis
- The average time to remediate a vulnerability
- Which repositories depend on a vulnerable dependency
You can also join GitHub Advanced Security data with GitHub Audit Log data, so, for example, you could see if an API token identified by secret scanning was used after it was leaked. These integrations give you a great starting point to build interesting insights.
If your tool of choice is not included below, we’ve written a detailed integration guide that you or the vendor can follow to replicate these integrations. If you’re a SIEM or logging vendor interested in following this integration path, please join our technology partner program. Many of the integrations are licensed under an open source license, so if you’d like to contribute a query, or additional datasource, please make a pull request.
We’ve also partnered with a variety of Risk-Based Vulnerability Management platforms, which provide a more prescriptive view of the GHAS data, and, specifically, for security professionals that we’ll announce in an upcoming post.
Splunk
Splunk is a data platform for security and observability, which helps organizations around the world investigate, monitor, analyze, and act on data at any scale. The Splunk integration is available on GitHub and Splunkbase, and provides add-ons for data sources:
- GitHub Audit Log Collection: Audit logs from Github Enterprise Cloud.
- Github.com Webhooks: A select set of webhook events like Push, PullRequest, and Repo.
- Github Enterprise Server Syslog Forwarder: Audit and application logs from Github Enterprise Server.
- Github Enterprise Collectd monitoring: Performance and infrastructure metrics from Github Enterprise Server.
Also, check out a handy Configuration Video Guide.
Microsoft Sentinel
Microsoft Sentinel is a cloud-native SIEM / security orchestration and automated response (SOAR) platform. The GitHub integration, available in public preview, is provided through the sentinel4github solution in the Azure Marketplace. The solution provides connectors to ingest GitHub audit logs and GitHub Advanced Security events into the platform. The Azure-Sentinel GitHub repository is the home for a comprehensive set of data connectors, log parsers, visualization workbooks, threat analytics detections, and threat hunting queries.
- Watch a demo of the GitHub App for Sentinel.
- Check out how to configure Sentinel with GitHub Advanced Security.
Datadog
Datadog seamlessly aggregates metrics, logs and events across the full DevSecOps stack enabling organizations to break down silos in a matter of minutes. The Datadog Github Apps integration is currently used by many organizations to reduce incident MTTR.
This updated integration will now include Audit Logs, Code Scans, Secret Scans and Repository Metrics. This will help engineering teams get a detailed understanding of their security vulnerabilities and easily identify, prioritize, and act on them in a timely manner. To start using the new features, it is simply a matter of checking a few checkboxes in the integration configuration tile. Once configured, the users get configurable out-of-the- box dashboards that help serve as a starting point to understand key insights and present a summary to executive stakeholders. Security teams can also use other Datadog products, such as Monitors, to set alerts where needed, as well as Logs Explorer product for further deep dives.
Sumo Logic
The Sumo Logic Continuous Intelligence Platform™ provides powerful real-time, analytics, and insights to help practitioners and developers ensure application reliability, secure and protect against modern threats, and gain insights into their cloud infrastructures.
Sumo Logic’s integration for GitHub is available as a comprehensive app in the Sumo App Catalog, and visualizes key insights ingested directly from GitHub Webhooks, audit logs, and GitHub Advanced Security events. Out-of-the-box dashboards, searches, and alerts make it easy for developers and security engineers to quickly understand repository and commit activity, normal and anomalous user activity, and security alerts generated from secrets scanning, code scanning, and Dependabot. This lets mutual customers quickly understand their GitHub data in Sumo, in addition to being able to correlate it with other data sources to get broader and deeper insights.
Elastic Security
Elastic Security combines SIEM threat detection features with endpoint prevention and response capabilities in one solution. These analytical and protection capabilities, leveraged by the speed and extensibility of Elasticsearch, enable analysts to defend their organization from threats.
Elastic’s GitHub integration is installed through the Elastic UI and is available to view within Elastic’s integration repository. The integration supports ingestion of GitHub audit events and GitHub Advanced Security events into Elastic Security. A set of visualizations, dashboards, and predefined searches are included with the integration. More information is available in Elastic documentation.
Learn how to easily ingest GitHub Advanced Security Alerts into Elastic Security.
Panther
Panther is a cloud-native SIEM built to support petabyte-scale and Detection-as-Code. With Panther, teams can build nuanced detections in Python and then test and deploy them seamlessly. Panther’s integration with GitHub provides robust audit logging capabilities to help organizations track and monitor security events from your GitHub organization. For security visibility, Panther ingests all relevant activities performed within Github, such as user logins, data access, and changes to security configurations. Once in Panther, the audit logs are stored in a security data lake and can be easily searched, correlated, and investigated, providing organizations with valuable insights into their security posture.
Tags:
Written by
Related posts
GitHub and JFrog partner to unify code and binaries for DevSecOps
This partnership between GitHub and JFrog enables developers to manage code and binaries more efficiently on two of the most widely used developer platforms in the world.
2024 GitHub Accelerator: Meet the 11 projects shaping open source AI
Announcing the second cohort, delivering value to projects, and driving a new frontier.
Introducing GitHub Copilot Extensions: Unlocking unlimited possibilities with our ecosystem of partners
The world of Copilot is getting bigger, improving the developer experience by keeping developers in the flow longer and allowing them to do more in natural language.