diff --git a/Solutions/GitHub/Data Connectors/GitHubAuditLogs_AzStorage/ConnectorDefinition.json b/Solutions/GitHub/Data Connectors/GitHubAuditLogs_AzStorage/ConnectorDefinition.json index 56f06eb06fd..8949df9bf04 100644 --- a/Solutions/GitHub/Data Connectors/GitHubAuditLogs_AzStorage/ConnectorDefinition.json +++ b/Solutions/GitHub/Data Connectors/GitHubAuditLogs_AzStorage/ConnectorDefinition.json @@ -14,19 +14,19 @@ { "metricName": "Total events received", "legend": "GitHubAuditLogEvents", - "baseQuery": "GitHubAuditLogsV2_CL" + "baseQuery": "GitHubAuditLogsV3_CL" } ], "sampleQueries": [ { "description": "GitHub Audit Logs", - "query": "GitHubAuditLogsV2_CL | take 10" + "query": "GitHubAuditLogsV3_CL | take 10" } ], "dataTypes": [ { - "name": "GitHubAuditLogsV2_CL", - "lastDataReceivedQuery": "GitHubAuditLogsV2_CL | summarize Time = max(TimeGenerated) | where isnotempty(Time)" + "name": "GitHubAuditLogsV3_CL", + "lastDataReceivedQuery": "GitHubAuditLogsV3_CL | summarize Time = max(TimeGenerated) | where isnotempty(Time)" } ], "connectivityCriteria": [ @@ -123,7 +123,7 @@ "type": "Textbox", "parameters": { "label": "The blob container's storage account resource group name", - "placeholder": "my-resource-group", + "placeholder": "", "type": "text", "name": "StorageAccountResourceGroupName" } @@ -159,18 +159,15 @@ }, { "title": "Blob Lifecycle Policy (Recommended)", - "description": "To prevent unbounded storage growth, configure a [lifecycle management policy](https://learn.microsoft.com/en-us/azure/storage/blobs/lifecycle-management-overview) on your storage account to automatically delete blobs after a retention period (for example, 7 days). Once the connector ingests the audit logs into Microsoft Sentinel, the source blobs are no longer needed.\n\nTo create a lifecycle rule scoped to your container:\n1. Navigate to your **Storage Account** -> **Data management** -> **Lifecycle management**.\n2. Click **Add a rule** and configure:\n - **Rule name:** for example, `github-audit-cleanup`\n - **Rule scope:** Select **Limit blobs with filters** and set the **Prefix match** to your container name (for example, `my-container/`). This ensures the rule applies only to blobs in that container.\n - **Blob type:** Block blobs.\n - **Base blobs:** Delete blobs that were last modified more than **7 days** ago (adjust as needed).\n3. Save the rule.\n\n> **Note:** Each storage account has a single management policy that can contain multiple rules. Each rule can target a specific container via prefix filters. If you already have a lifecycle policy, add a new rule to the existing policy rather than creating a new one.", - "instructions": [] + "description": "To prevent unbounded storage growth, configure a [lifecycle management policy](https://learn.microsoft.com/en-us/azure/storage/blobs/lifecycle-management-overview) on your storage account to automatically delete blobs after a retention period (for example, 7 days). Once the connector ingests the audit logs into Microsoft Sentinel, the source blobs are no longer needed.\n\nTo create a lifecycle rule scoped to your container:\n1. Navigate to your **Storage Account** -> **Data management** -> **Lifecycle management**.\n2. Click **Add a rule** and configure:\n - **Rule name:** for example, `github-audit-cleanup`\n - **Rule scope:** Select **Limit blobs with filters** and set the **Prefix match** to your container name (for example, `my-container/`). This ensures the rule applies only to blobs in that container.\n - **Blob type:** Block blobs.\n - **Base blobs:** Delete blobs that were last modified more than **7 days** ago (adjust as needed).\n3. Save the rule.\n\n> **Note:** Each storage account has a single management policy that can contain multiple rules. Each rule can target a specific container via prefix filters. If you already have a lifecycle policy, add a new rule to the existing policy rather than creating a new one." }, { "title": "Reference", - "description": "For detailed instructions on setting up the Azure Storage connector to stream logs to Microsoft Sentinel, see [Set up Azure Storage connector](https://learn.microsoft.com/en-us/azure/sentinel/setup-azure-storage-connector).", - "instructions": [] + "description": "For detailed instructions on setting up the Azure Storage connector to stream logs to Microsoft Sentinel, see [Set up Azure Storage connector](https://learn.microsoft.com/en-us/azure/sentinel/setup-azure-storage-connector)." }, { "title": "Troubleshooting", - "description": "If you encounter issues with data ingestion:\n- **Enable the health feature** - If the connector health feature isn't enabled, enable it to monitor connector status and detect issues early.\n- **Enable diagnostic logs** - Consider enabling diagnostic logs for both the **Storage Account** and **Event Grid** resources to help identify and troubleshoot health issues.\n- For more details, see [Troubleshoot Azure Storage Blob connector issues](https://review.learn.microsoft.com/en-us/azure/sentinel/azure-storage-blob-connector-troubleshoot?branch=main).", - "instructions": [] + "description": "If you encounter issues with data ingestion:\n- **Enable the health feature** - If the connector health feature isn't enabled, enable it to monitor connector status and detect issues early.\n- **Enable diagnostic logs** - Consider enabling diagnostic logs for both the **Storage Account** and **Event Grid** resources to help identify and troubleshoot health issues.\n- For more details, see [Troubleshoot Azure Storage Blob connector issues](https://review.learn.microsoft.com/en-us/azure/sentinel/azure-storage-blob-connector-troubleshoot?branch=main)." } ] } diff --git a/Solutions/GitHub/Data Connectors/GitHubAuditLogs_AzStorage/DCR.json b/Solutions/GitHub/Data Connectors/GitHubAuditLogs_AzStorage/DCR.json index b31d21b2736..8e96fc649a0 100644 --- a/Solutions/GitHub/Data Connectors/GitHubAuditLogs_AzStorage/DCR.json +++ b/Solutions/GitHub/Data Connectors/GitHubAuditLogs_AzStorage/DCR.json @@ -932,6 +932,46 @@ "name": "audit_log_stream_sink", "type": "string" }, + { + "name": "repository", + "type": "string" + }, + { + "name": "repository_id", + "type": "real" + }, + { + "name": "token_scopes", + "type": "string" + }, + { + "name": "request_method", + "type": "string" + }, + { + "name": "query_string", + "type": "string" + }, + { + "name": "request_body", + "type": "string" + }, + { + "name": "status_code", + "type": "real" + }, + { + "name": "url_path", + "type": "string" + }, + { + "name": "route", + "type": "string" + }, + { + "name": "rate_limit_remaining", + "type": "real" + }, { "name": "actor_location", "type": "dynamic" @@ -955,8 +995,8 @@ "destinations": [ "clv2ws1" ], - "outputStream": "Custom-GitHubAuditLogsV2_CL", - "transformKql": "source | extend actor_locationDynamic = parse_json(actor_location) | extend CountryCode = tostring(actor_locationDynamic['country_code']) | extend TimestampLong = tolong(['@timestamp']) | extend TimeGenerated = datetime(1970-01-01) + (TimestampLong * 1ms) | project TimeGenerated, CreatedAt = created_at, Org = org, Action = action, Repo = repo, Actor = actor, CountryCode, User = user, Permission = permission, Visibility = visibility, PreviousVisibility = previous_visibility, OldPermission = old_permission, Team = team, BlockedUser = blocked_user, OperationType = operation_type, PublicRepo = repository_public, OrgId = org_id, InviteeEmail = invitee_email, ActorIp = actor_ip, ActorId = actor_id, ActorIsBot = actor_is_bot, BusinessId = business_id, RepoId = repo_id, UserAgent = user_agent, UserId = user_id, Email = email, RepositorySecurityConfigurationFailureReason = repository_security_configuration_failure_reason, RepositorySecurityConfigurationState = repository_security_configuration_state, OauthApplication = oauth_application, OauthApplicationUrl = oauth_application_url, OauthApplicationState = oauth_application_state, Reason = reason, MembershipType = membership_type, UserCanInviteCollaborators = user_can_invite_collaborators, CanCreateRepositories = can_create_repositories, SecurityConfigurationId = security_configuration_id, InvitationId = invitation_id, Topic = topic, DocumentId = _document_id, Business = business, RequestCategory = request_category, OauthApplicationId = oauth_application_id, OldRepoPermission = old_repo_permission, NewRepoPermission = new_repo_permission, RepositoriesRemovedNames = repositories_removed_names, Active = active, ActiveWas = active_was, Data = tostring(data), Config = tostring(config), ConfigWas = tostring(config_was), ContentType = content_type, DeployKeyFingerprint = deploy_key_fingerprint, Emoji = emoji, Events = tostring(events), EventsWere = tostring(events_were), Explanation = explanation, Fingerprint = fingerprint, HookId = hook_id, LimitedAvailability = limited_availability, Message = message, Name = name, OldUser = old_user, OpensshPublicKey = openssh_public_key, ReadOnly = read_only, TargetLogin = target_login, TransportProtocol = transport_protocol, TransportProtocolName = transport_protocol_name, StartedAt = started_at, CompletedAt = completed_at, Conclusion = conclusion, Event = event, HeadBranch = head_branch, HeadSha = head_sha, RunAttempt = run_attempt, RunNumber = run_number, TriggerId = trigger_id, WorkflowId = workflow_id, WorkflowRunId = workflow_run_id, EnvironmentName = environment_name, IsHostedRunner = is_hosted_runner, JobName = job_name, JobWorkflowRef = job_workflow_ref, RunnerGroupId = runner_group_id, RunnerGroupName = runner_group_name, RunnerId = runner_id, RunnerLabels = runner_labels, RunnerName = runner_name, SecretsPassed = secrets_passed, HashedToken = hashed_token, ProgrammaticAccessType = programmatic_access_type, RequestAccessSecurityHeader = request_access_security_header, TokenId = token_id, PullRequestId = pull_request_id, PullRequestTitle = pull_request_title, PullRequestUrl = pull_request_url, OldRolePermissions = old_role_permissions, RolePermissions = role_permissions, RequestId = request_id, BaseRole = base_role, CustomPattern = custom_pattern, Source = source, ActivityType = type, GhsaId = ghsa_id, Recipient = recipient, RunnerOwnerType = runner_owner_type, OrganizationRoleId = organization_role_id, OrganizationRoleName = organization_role_name, Owner = owner, OldTokenExpiration = old_token_expiration, ExemptAdministrators = exempt_administrators, TokenExpiration = token_expiration, Policy = policy, ApplicationClientId = application_client_id, Integration = integration, RepositoriesRemoved = repositories_removed, RepositorySelection = repository_selection, NewProjectBaseRole = new_project_base_role, OldProjectBaseRole = old_project_base_role, ProjectId = project_id, ProjectNumber = project_number, PublicProject = public_project, RulesetBypassActors = ruleset_bypass_actors, RulesetConditions = ruleset_conditions, RulesetEnforcement = ruleset_enforcement, RulesetId = ruleset_id, RulesetName = ruleset_name, RulesetRules = ruleset_rules, RulesetSourceType = ruleset_source_type, RulesetRulesDeleted = ruleset_rules_deleted, RulesetConditionsUpdated = ruleset_conditions_updated, AdminEnforced = admin_enforced, AllowDeletionsEnforcementLevel = allow_deletions_enforcement_level, AllowForcePushesEnforcementLevel = allow_force_pushes_enforcement_level, AuthorizedActorNames = authorized_actor_names, CreateProtected = create_protected, DismissStaleReviewsOnPush = dismiss_stale_reviews_on_push, EnforcementLevel = enforcement_level, IgnoreApprovalsFromContributors = ignore_approvals_from_contributors, LinearHistoryRequirementEnforcementLevel = linear_history_requirement_enforcement_level, LockAllowsFetchAndMerge = lock_allows_fetch_and_merge, LockBranchEnforcementLevel = lock_branch_enforcement_level, MergeQueueEnforcementLevel = merge_queue_enforcement_level, PullRequestReviewsEnforcementLevel = pull_request_reviews_enforcement_level, RequireCodeOwnerReview = require_code_owner_review, RequireLastPushApproval = require_last_push_approval, RequiredApprovingReviewCount = required_approving_review_count, RequiredDeploymentsEnforcementLevel = required_deployments_enforcement_level, RequiredReviewThreadResolutionEnforcementLevel = required_review_thread_resolution_enforcement_level, RequiredStatusChecksEnforcementLevel = required_status_checks_enforcement_level, SignatureRequirementEnforcementLevel = signature_requirement_enforcement_level, StrictRequiredStatusChecksPolicy = strict_required_status_checks_policy, AllowedValues = allowed_values, DefaultValue = default_value, DefinitionId = definition_id, Description = description, PropertyName = property_name, ValueType = value_type, ValuesEditableBy = values_editable_by, OldValuesEditableBy = old_values_editable_by, OldDefaultValue = old_default_value, OldRequired = old_required, Required = required, Enablement = enablement, OwnerType = owner_type, CommitId = commit_id, RuleSuiteId = rule_suite_id, Referrer = referrer, Reasons = reasons, OverriddenCodes = overridden_codes, After = after, Before = before, Branch = branch, IssueTypeName = issue_type_name, OldDescription = old_description, OldEnabled = old_enabled, OldIssueTypeName = old_issue_type_name, NewAccess = new_access, OldAccess = old_access, UpdatedAllowedTypes = updated_allowed_types, NewPolicy = new_policy, NewRepoRunnersPolicy = new_repo_runners_policy, OldRepoRunnersPolicy = old_repo_runners_policy, Limit = ['limit'], RunnerGroupRestrictedToWorkflows = runner_group_restricted_to_workflows, RunnerGroupSelectedWorkflowRefs = runner_group_selected_workflow_refs, RunnerGroupAllowPublic = runner_group_allow_public, IpAllowListEntry = ip_allow_list_entry, TwoFactorMethod = two_factor_method, AlertNumbers = alert_numbers, CommitOid = commit_oid, Ref = ref, DefaultForNewPrivateRepos = default_for_new_private_repos, DefaultForNewPublicRepos = default_for_new_public_repos, DomainName = domain_name, Key = key, SecurityConfigurationCodeScanning = security_configuration_code_scanning, SecurityConfigurationCodeSecuritySkuEnabled = security_configuration_code_security_sku_enabled, SecurityConfigurationCreatedAt = security_configuration_created_at, SecurityConfigurationDependabotAlerts = security_configuration_dependabot_alerts, SecurityConfigurationDependabotSecurityUpdates = security_configuration_dependabot_security_updates, SecurityConfigurationDependencyGraph = security_configuration_dependency_graph, SecurityConfigurationDependencyGraphAutosubmitAction = security_configuration_dependency_graph_autosubmit_action, SecurityConfigurationDescription = security_configuration_description, SecurityConfigurationEnableGhas = security_configuration_enable_ghas, SecurityConfigurationName = security_configuration_name, SecurityConfigurationPrivateVulnerabilityReporting = security_configuration_private_vulnerability_reporting, SecurityConfigurationSecretProtectionSkuEnabled = security_configuration_secret_protection_sku_enabled, SecurityConfigurationSecretScanning = security_configuration_secret_scanning, SecurityConfigurationSecretScanningDelegatedBypass = security_configuration_secret_scanning_delegated_bypass, SecurityConfigurationSecretScanningGenericSecrets = security_configuration_secret_scanning_generic_secrets, SecurityConfigurationSecretScanningNonProviderPatterns = security_configuration_secret_scanning_non_provider_patterns, SecurityConfigurationSecretScanningPushProtection = security_configuration_secret_scanning_push_protection, SecurityConfigurationSecretScanningValidityChecks = security_configuration_secret_scanning_validity_checks, SecurityConfigurationUpdatedAt = security_configuration_updated_at, ThreatModel = threat_model, QuerySuite = query_suite, VulnerabilityAlertRuleActionsAlertActionsAutoDismiss = vulnerability_alert_rule_actions_alert_actions_auto_dismiss, VulnerabilityAlertRuleActionsVersion = vulnerability_alert_rule_actions_version, VulnerabilityAlertRuleConditionsCwe = vulnerability_alert_rule_conditions_cwe, VulnerabilityAlertRuleConditionsEcosystem = vulnerability_alert_rule_conditions_ecosystem, VulnerabilityAlertRuleConditionsScope = vulnerability_alert_rule_conditions_scope, VulnerabilityAlertRuleId = vulnerability_alert_rule_id, VulnerabilityAlertRuleName = vulnerability_alert_rule_name, DismissalApproverId = dismissal_approver_id, SsoUrl = sso_url, Issuer = issuer, ExternalIdentityUsername = external_identity_username, ExternalIdentityNameid = external_identity_nameid, AuditLogStreamResult = audit_log_stream_result, AuditLogStreamSinkDetails = audit_log_stream_sink_details, AuditLogStreamId = audit_log_stream_id, AuditLogStreamSink = audit_log_stream_sink" + "outputStream": "Custom-GitHubAuditLogsV3_CL", + "transformKql": "source | extend actor_locationDynamic = parse_json(actor_location) | extend CountryCode = tostring(actor_locationDynamic['country_code']) | extend TimestampLong = tolong(['@timestamp']) | extend TimeGenerated = datetime(1970-01-01) + (TimestampLong * 1ms) | project TimeGenerated, CreatedAt = created_at, Org = org, Action = action, Repo = repo, Actor = actor, CountryCode, User = user, Permission = permission, Visibility = visibility, PreviousVisibility = previous_visibility, OldPermission = old_permission, Team = team, BlockedUser = blocked_user, OperationType = operation_type, PublicRepo = repository_public, OrgId = org_id, InviteeEmail = invitee_email, ActorIp = actor_ip, ActorId = actor_id, ActorIsBot = actor_is_bot, BusinessId = business_id, RepoId = repo_id, UserAgent = user_agent, UserId = user_id, Email = email, RepositorySecurityConfigurationFailureReason = repository_security_configuration_failure_reason, RepositorySecurityConfigurationState = repository_security_configuration_state, OauthApplication = oauth_application, OauthApplicationUrl = oauth_application_url, OauthApplicationState = oauth_application_state, Reason = reason, MembershipType = membership_type, UserCanInviteCollaborators = user_can_invite_collaborators, CanCreateRepositories = can_create_repositories, SecurityConfigurationId = security_configuration_id, InvitationId = invitation_id, Topic = topic, DocumentId = _document_id, Business = business, RequestCategory = request_category, OauthApplicationId = oauth_application_id, OldRepoPermission = old_repo_permission, NewRepoPermission = new_repo_permission, RepositoriesRemovedNames = repositories_removed_names, Active = active, ActiveWas = active_was, Data = tostring(data), Config = tostring(config), ConfigWas = tostring(config_was), ContentType = content_type, DeployKeyFingerprint = deploy_key_fingerprint, Emoji = emoji, Events = tostring(events), EventsWere = tostring(events_were), Explanation = explanation, Fingerprint = fingerprint, HookId = hook_id, LimitedAvailability = limited_availability, Message = message, Name = name, OldUser = old_user, OpensshPublicKey = openssh_public_key, ReadOnly = read_only, TargetLogin = target_login, TransportProtocol = transport_protocol, TransportProtocolName = transport_protocol_name, StartedAt = started_at, CompletedAt = completed_at, Conclusion = conclusion, Event = event, HeadBranch = head_branch, HeadSha = head_sha, RunAttempt = run_attempt, RunNumber = run_number, TriggerId = trigger_id, WorkflowId = workflow_id, WorkflowRunId = workflow_run_id, EnvironmentName = environment_name, IsHostedRunner = is_hosted_runner, JobName = job_name, JobWorkflowRef = job_workflow_ref, RunnerGroupId = runner_group_id, RunnerGroupName = runner_group_name, RunnerId = runner_id, RunnerLabels = runner_labels, RunnerName = runner_name, SecretsPassed = secrets_passed, HashedToken = hashed_token, ProgrammaticAccessType = programmatic_access_type, RequestAccessSecurityHeader = request_access_security_header, TokenId = token_id, PullRequestId = pull_request_id, PullRequestTitle = pull_request_title, PullRequestUrl = pull_request_url, OldRolePermissions = old_role_permissions, RolePermissions = role_permissions, RequestId = request_id, BaseRole = base_role, CustomPattern = custom_pattern, Source = source, ActivityType = type, GhsaId = ghsa_id, Recipient = recipient, RunnerOwnerType = runner_owner_type, OrganizationRoleId = organization_role_id, OrganizationRoleName = organization_role_name, Owner = owner, OldTokenExpiration = old_token_expiration, ExemptAdministrators = exempt_administrators, TokenExpiration = token_expiration, Policy = policy, ApplicationClientId = application_client_id, Integration = integration, RepositoriesRemoved = repositories_removed, RepositorySelection = repository_selection, NewProjectBaseRole = new_project_base_role, OldProjectBaseRole = old_project_base_role, ProjectId = project_id, ProjectNumber = project_number, PublicProject = public_project, RulesetBypassActors = ruleset_bypass_actors, RulesetConditions = ruleset_conditions, RulesetEnforcement = ruleset_enforcement, RulesetId = ruleset_id, RulesetName = ruleset_name, RulesetRules = ruleset_rules, RulesetSourceType = ruleset_source_type, RulesetRulesDeleted = ruleset_rules_deleted, RulesetConditionsUpdated = ruleset_conditions_updated, AdminEnforced = admin_enforced, AllowDeletionsEnforcementLevel = allow_deletions_enforcement_level, AllowForcePushesEnforcementLevel = allow_force_pushes_enforcement_level, AuthorizedActorNames = authorized_actor_names, CreateProtected = create_protected, DismissStaleReviewsOnPush = dismiss_stale_reviews_on_push, EnforcementLevel = enforcement_level, IgnoreApprovalsFromContributors = ignore_approvals_from_contributors, LinearHistoryRequirementEnforcementLevel = linear_history_requirement_enforcement_level, LockAllowsFetchAndMerge = lock_allows_fetch_and_merge, LockBranchEnforcementLevel = lock_branch_enforcement_level, MergeQueueEnforcementLevel = merge_queue_enforcement_level, PullRequestReviewsEnforcementLevel = pull_request_reviews_enforcement_level, RequireCodeOwnerReview = require_code_owner_review, RequireLastPushApproval = require_last_push_approval, RequiredApprovingReviewCount = required_approving_review_count, RequiredDeploymentsEnforcementLevel = required_deployments_enforcement_level, RequiredReviewThreadResolutionEnforcementLevel = required_review_thread_resolution_enforcement_level, RequiredStatusChecksEnforcementLevel = required_status_checks_enforcement_level, SignatureRequirementEnforcementLevel = signature_requirement_enforcement_level, StrictRequiredStatusChecksPolicy = strict_required_status_checks_policy, AllowedValues = allowed_values, DefaultValue = default_value, DefinitionId = definition_id, Description = description, PropertyName = property_name, ValueType = value_type, ValuesEditableBy = values_editable_by, OldValuesEditableBy = old_values_editable_by, OldDefaultValue = old_default_value, OldRequired = old_required, Required = required, Enablement = enablement, OwnerType = owner_type, CommitId = commit_id, RuleSuiteId = rule_suite_id, Referrer = referrer, Reasons = reasons, OverriddenCodes = overridden_codes, After = after, Before = before, Branch = branch, IssueTypeName = issue_type_name, OldDescription = old_description, OldEnabled = old_enabled, OldIssueTypeName = old_issue_type_name, NewAccess = new_access, OldAccess = old_access, UpdatedAllowedTypes = updated_allowed_types, NewPolicy = new_policy, NewRepoRunnersPolicy = new_repo_runners_policy, OldRepoRunnersPolicy = old_repo_runners_policy, Limit = ['limit'], RunnerGroupRestrictedToWorkflows = runner_group_restricted_to_workflows, RunnerGroupSelectedWorkflowRefs = runner_group_selected_workflow_refs, RunnerGroupAllowPublic = runner_group_allow_public, IpAllowListEntry = ip_allow_list_entry, TwoFactorMethod = two_factor_method, AlertNumbers = alert_numbers, CommitOid = commit_oid, Ref = ref, DefaultForNewPrivateRepos = default_for_new_private_repos, DefaultForNewPublicRepos = default_for_new_public_repos, DomainName = domain_name, Key = key, SecurityConfigurationCodeScanning = security_configuration_code_scanning, SecurityConfigurationCodeSecuritySkuEnabled = security_configuration_code_security_sku_enabled, SecurityConfigurationCreatedAt = security_configuration_created_at, SecurityConfigurationDependabotAlerts = security_configuration_dependabot_alerts, SecurityConfigurationDependabotSecurityUpdates = security_configuration_dependabot_security_updates, SecurityConfigurationDependencyGraph = security_configuration_dependency_graph, SecurityConfigurationDependencyGraphAutosubmitAction = security_configuration_dependency_graph_autosubmit_action, SecurityConfigurationDescription = security_configuration_description, SecurityConfigurationEnableGhas = security_configuration_enable_ghas, SecurityConfigurationName = security_configuration_name, SecurityConfigurationPrivateVulnerabilityReporting = security_configuration_private_vulnerability_reporting, SecurityConfigurationSecretProtectionSkuEnabled = security_configuration_secret_protection_sku_enabled, SecurityConfigurationSecretScanning = security_configuration_secret_scanning, SecurityConfigurationSecretScanningDelegatedBypass = security_configuration_secret_scanning_delegated_bypass, SecurityConfigurationSecretScanningGenericSecrets = security_configuration_secret_scanning_generic_secrets, SecurityConfigurationSecretScanningNonProviderPatterns = security_configuration_secret_scanning_non_provider_patterns, SecurityConfigurationSecretScanningPushProtection = security_configuration_secret_scanning_push_protection, SecurityConfigurationSecretScanningValidityChecks = security_configuration_secret_scanning_validity_checks, SecurityConfigurationUpdatedAt = security_configuration_updated_at, ThreatModel = threat_model, QuerySuite = query_suite, VulnerabilityAlertRuleActionsAlertActionsAutoDismiss = vulnerability_alert_rule_actions_alert_actions_auto_dismiss, VulnerabilityAlertRuleActionsVersion = vulnerability_alert_rule_actions_version, VulnerabilityAlertRuleConditionsCwe = vulnerability_alert_rule_conditions_cwe, VulnerabilityAlertRuleConditionsEcosystem = vulnerability_alert_rule_conditions_ecosystem, VulnerabilityAlertRuleConditionsScope = vulnerability_alert_rule_conditions_scope, VulnerabilityAlertRuleId = vulnerability_alert_rule_id, VulnerabilityAlertRuleName = vulnerability_alert_rule_name, DismissalApproverId = dismissal_approver_id, SsoUrl = sso_url, Issuer = issuer, ExternalIdentityUsername = external_identity_username, ExternalIdentityNameid = external_identity_nameid, AuditLogStreamResult = audit_log_stream_result, AuditLogStreamSinkDetails = audit_log_stream_sink_details, AuditLogStreamId = audit_log_stream_id, AuditLogStreamSink = audit_log_stream_sink, Repository = repository, RepositoryId = repository_id, TokenScopes = token_scopes, RequestMethod = request_method, QueryString = query_string, RequestBody = request_body, StatusCode = status_code, UrlPath = url_path, Route = route, RateLimitRemaining = rate_limit_remaining" } ] } diff --git a/Solutions/GitHub/Data Connectors/GitHubAuditLogs_AzStorage/PollingConfig.json b/Solutions/GitHub/Data Connectors/GitHubAuditLogs_AzStorage/PollingConfig.json index 1f6b77b0580..82e2dc8360d 100644 --- a/Solutions/GitHub/Data Connectors/GitHubAuditLogs_AzStorage/PollingConfig.json +++ b/Solutions/GitHub/Data Connectors/GitHubAuditLogs_AzStorage/PollingConfig.json @@ -29,7 +29,7 @@ "isGzipCompressed": true }, "connectorDefinitionName": "GitHubAuditBlobConnector", - "dataType": "GitHubAuditLogsV2_CL", + "dataType": "GitHubAuditLogsV3_CL", "dcrConfig": { "streamName": "Custom-GitHubAuditLogs", "dataCollectionEndpoint": "{{dataCollectionEndpoint}}", diff --git a/Solutions/GitHub/Data Connectors/GitHubAuditLogs_AzStorage/table_GitHubAuditLogsV2.json b/Solutions/GitHub/Data Connectors/GitHubAuditLogs_AzStorage/table_GitHubAuditLogsV2.json index 263217521ba..2f7d5b5032a 100644 --- a/Solutions/GitHub/Data Connectors/GitHubAuditLogs_AzStorage/table_GitHubAuditLogsV2.json +++ b/Solutions/GitHub/Data Connectors/GitHubAuditLogs_AzStorage/table_GitHubAuditLogsV2.json @@ -1172,4 +1172,4 @@ ] } } -} \ No newline at end of file +} diff --git a/Solutions/GitHub/Data Connectors/GitHubAuditLogs_AzStorage/table_GitHubAuditLogsV3.json b/Solutions/GitHub/Data Connectors/GitHubAuditLogs_AzStorage/table_GitHubAuditLogsV3.json new file mode 100644 index 00000000000..b5472e63ec7 --- /dev/null +++ b/Solutions/GitHub/Data Connectors/GitHubAuditLogs_AzStorage/table_GitHubAuditLogsV3.json @@ -0,0 +1,1225 @@ +{ + "name": "GitHubAuditLogsV3_CL", + "type": "Microsoft.OperationalInsights/workspaces/tables", + "apiVersion": "2022-10-01", + "tags": { + "StreamName": "Custom-GitHubAuditLogsV3_CL" + }, + "properties": { + "schema": { + "name": "GitHubAuditLogsV3_CL", + "columns": [ + { + "name": "TimeGenerated", + "type": "datetime" + }, + { + "name": "Org", + "type": "string", + "description": "The GitHub organization associated with the audit log event." + }, + { + "name": "Action", + "type": "string", + "description": "The name of the action that was performed, for example user.login or repo.create." + }, + { + "name": "Repo", + "type": "string", + "description": "The name of the repository associated with the event." + }, + { + "name": "Actor", + "type": "string", + "description": "The actor who performed the action." + }, + { + "name": "CountryCode", + "type": "string", + "description": "The country code from the actor's location." + }, + { + "name": "User", + "type": "string", + "description": "The user that was affected by the action performed." + }, + { + "name": "Permission", + "type": "string", + "description": "The permission level granted or associated with the action." + }, + { + "name": "Visibility", + "type": "string", + "description": "The repository visibility, for example public or private." + }, + { + "name": "PreviousVisibility", + "type": "string", + "description": "The previous repository visibility before the change." + }, + { + "name": "OldPermission", + "type": "string", + "description": "The previous permission level before the change." + }, + { + "name": "Team", + "type": "string", + "description": "The team associated with the audit log event." + }, + { + "name": "BlockedUser", + "type": "string", + "description": "The username of the account being blocked." + }, + { + "name": "OperationType", + "type": "string", + "description": "The type of operation performed, for example create, modify, or delete." + }, + { + "name": "PublicRepo", + "type": "boolean", + "description": "Whether the repository is public." + }, + { + "name": "OrgId", + "type": "real", + "description": "The numeric identifier of the GitHub organization." + }, + { + "name": "CreatedAt", + "type": "real", + "description": "The time the audit log event was recorded, given as a Unix timestamp in milliseconds." + }, + { + "name": "InviteeEmail", + "type": "string", + "description": "The email address of the person invited." + }, + { + "name": "ActorIp", + "type": "string", + "description": "The IP address of the actor who performed the action.", + "dataTypeHint": "IP" + }, + { + "name": "ActorId", + "type": "real", + "description": "The numeric identifier of the actor who performed the action." + }, + { + "name": "ActorIsBot", + "type": "boolean", + "description": "Whether the actor is a bot account." + }, + { + "name": "BusinessId", + "type": "real", + "description": "The numeric identifier of the GitHub Enterprise business." + }, + { + "name": "RepoId", + "type": "real", + "description": "The numeric identifier of the repository." + }, + { + "name": "UserAgent", + "type": "string", + "description": "The user agent string of the client that initiated the action." + }, + { + "name": "UserId", + "type": "real", + "description": "The numeric identifier of the affected user." + }, + { + "name": "Email", + "type": "string", + "description": "The email address associated with the event." + }, + { + "name": "RepositorySecurityConfigurationFailureReason", + "type": "dynamic", + "description": "The reason a repository security configuration failed to apply." + }, + { + "name": "RepositorySecurityConfigurationState", + "type": "dynamic", + "description": "The state of the repository security configuration." + }, + { + "name": "SecurityConfigurationName", + "type": "string", + "description": "The name of the security configuration." + }, + { + "name": "OauthApplication", + "type": "string", + "description": "The name of the OAuth application involved in the event." + }, + { + "name": "OauthApplicationUrl", + "type": "string", + "description": "The URL of the OAuth application." + }, + { + "name": "OauthApplicationState", + "type": "string", + "description": "The state of the OAuth application." + }, + { + "name": "Reason", + "type": "string", + "description": "The reason for the action or event." + }, + { + "name": "MembershipType", + "type": "string", + "description": "The type of membership, for example admin or member." + }, + { + "name": "UserCanInviteCollaborators", + "type": "boolean", + "description": "Whether the user has permission to invite collaborators." + }, + { + "name": "CanCreateRepositories", + "type": "boolean", + "description": "Whether the user has permission to create repositories." + }, + { + "name": "SecurityConfigurationId", + "type": "real", + "description": "The numeric identifier of the security configuration." + }, + { + "name": "InvitationId", + "type": "real", + "description": "The numeric identifier of the invitation." + }, + { + "name": "Topic", + "type": "string", + "description": "The topic associated with the event." + }, + { + "name": "DocumentId", + "type": "string", + "description": "A unique identifier for the audit event." + }, + { + "name": "Business", + "type": "string", + "description": "The name of the GitHub Enterprise business." + }, + { + "name": "RequestCategory", + "type": "string", + "description": "The category of the request." + }, + { + "name": "OauthApplicationId", + "type": "real", + "description": "The numeric identifier of the OAuth application." + }, + { + "name": "OldRepoPermission", + "type": "string", + "description": "The previous repository permission before the change." + }, + { + "name": "NewRepoPermission", + "type": "string", + "description": "The new repository permission after the change." + }, + { + "name": "RepositoriesRemovedNames", + "type": "string", + "description": "The names of repositories that were removed." + }, + { + "name": "Active", + "type": "boolean", + "description": "Whether the resource is currently active." + }, + { + "name": "ActiveWas", + "type": "boolean", + "description": "Whether the resource was previously active." + }, + { + "name": "Data", + "type": "string", + "description": "Additional data associated with the event, serialized as a JSON string." + }, + { + "name": "Config", + "type": "string", + "description": "The current configuration associated with the event, serialized as a JSON string." + }, + { + "name": "ConfigWas", + "type": "string", + "description": "The previous configuration before the change, serialized as a JSON string." + }, + { + "name": "ContentType", + "type": "string", + "description": "The content type of the resource." + }, + { + "name": "DeployKeyFingerprint", + "type": "string", + "description": "The fingerprint of the deploy key." + }, + { + "name": "Emoji", + "type": "string", + "description": "The emoji associated with the event." + }, + { + "name": "Events", + "type": "string", + "description": "The current events configuration, serialized as a JSON string." + }, + { + "name": "EventsWere", + "type": "string", + "description": "The previous events configuration before the change, serialized as a JSON string." + }, + { + "name": "Explanation", + "type": "string", + "description": "An explanation or additional context for the event." + }, + { + "name": "Fingerprint", + "type": "string", + "description": "The fingerprint of the key or certificate." + }, + { + "name": "HookId", + "type": "real", + "description": "The numeric identifier of the webhook." + }, + { + "name": "LimitedAvailability", + "type": "boolean", + "description": "Whether the feature has limited availability." + }, + { + "name": "Message", + "type": "string", + "description": "A message associated with the event." + }, + { + "name": "Name", + "type": "string", + "description": "The name of the resource associated with the event." + }, + { + "name": "OldUser", + "type": "string", + "description": "The previous user before the change." + }, + { + "name": "OpensshPublicKey", + "type": "string", + "description": "The OpenSSH public key associated with the event." + }, + { + "name": "ReadOnly", + "type": "boolean", + "description": "Whether the resource is read-only." + }, + { + "name": "TargetLogin", + "type": "string", + "description": "The login of the target user." + }, + { + "name": "TransportProtocol", + "type": "real", + "description": "The type of protocol (for example, HTTP or SSH) used to transfer Git data." + }, + { + "name": "TransportProtocolName", + "type": "string", + "description": "A human readable name for the protocol used to transfer Git data." + }, + { + "name": "StartedAt", + "type": "datetime", + "description": "The time the workflow or job started." + }, + { + "name": "CompletedAt", + "type": "datetime", + "description": "The time the workflow or job completed." + }, + { + "name": "Conclusion", + "type": "string", + "description": "The conclusion status of the workflow run, for example success or failure." + }, + { + "name": "Event", + "type": "string", + "description": "The event that triggered the workflow." + }, + { + "name": "HeadBranch", + "type": "string", + "description": "The head branch of the workflow run." + }, + { + "name": "HeadSha", + "type": "string", + "description": "The HEAD SHA of the commit that triggered the workflow." + }, + { + "name": "RunAttempt", + "type": "real", + "description": "The attempt number of the workflow run." + }, + { + "name": "RunNumber", + "type": "real", + "description": "The run number of the workflow." + }, + { + "name": "TriggerId", + "type": "real", + "description": "The numeric identifier of the trigger." + }, + { + "name": "WorkflowId", + "type": "real", + "description": "The numeric identifier of the workflow." + }, + { + "name": "WorkflowRunId", + "type": "real", + "description": "The numeric identifier of the workflow run." + }, + { + "name": "EnvironmentName", + "type": "string", + "description": "The name of the deployment environment." + }, + { + "name": "IsHostedRunner", + "type": "boolean", + "description": "Whether the runner is a GitHub-hosted runner." + }, + { + "name": "JobName", + "type": "string", + "description": "The name of the workflow job." + }, + { + "name": "JobWorkflowRef", + "type": "string", + "description": "The reference to the reusable workflow used by the job." + }, + { + "name": "RunnerGroupId", + "type": "real", + "description": "The numeric identifier of the runner group." + }, + { + "name": "RunnerGroupName", + "type": "string", + "description": "The name of the runner group." + }, + { + "name": "RunnerId", + "type": "real", + "description": "The numeric identifier of the runner." + }, + { + "name": "RunnerLabels", + "type": "string", + "description": "The labels assigned to the runner." + }, + { + "name": "RunnerName", + "type": "string", + "description": "The name of the runner." + }, + { + "name": "SecretsPassed", + "type": "string", + "description": "The secrets passed to the workflow or job." + }, + { + "name": "HashedToken", + "type": "string", + "description": "The hashed token used for authentication." + }, + { + "name": "ProgrammaticAccessType", + "type": "string", + "description": "The type of programmatic access used." + }, + { + "name": "RequestAccessSecurityHeader", + "type": "string", + "description": "The security header of the access request." + }, + { + "name": "TokenId", + "type": "real", + "description": "The numeric identifier of the token." + }, + { + "name": "PullRequestId", + "type": "real", + "description": "The numeric identifier of the pull request." + }, + { + "name": "PullRequestTitle", + "type": "string", + "description": "The title of the pull request." + }, + { + "name": "PullRequestUrl", + "type": "string", + "description": "The URL of the pull request." + }, + { + "name": "OldRolePermissions", + "type": "string", + "description": "The previous role permissions before the change." + }, + { + "name": "RolePermissions", + "type": "string", + "description": "The current role permissions." + }, + { + "name": "RequestId", + "type": "string", + "description": "The unique identifier of the request." + }, + { + "name": "BaseRole", + "type": "string", + "description": "The base role for the organization or repository." + }, + { + "name": "CustomPattern", + "type": "string", + "description": "The custom secret scanning pattern." + }, + { + "name": "Source", + "type": "string", + "description": "The source of the event." + }, + { + "name": "ActivityType", + "type": "string", + "description": "The type of activity that was performed." + }, + { + "name": "GhsaId", + "type": "string", + "description": "The GitHub Security Advisory identifier." + }, + { + "name": "Recipient", + "type": "string", + "description": "The recipient of the action." + }, + { + "name": "RunnerOwnerType", + "type": "string", + "description": "The type of the runner owner, for example organization or enterprise." + }, + { + "name": "OrganizationRoleId", + "type": "real", + "description": "The numeric identifier of the organization role." + }, + { + "name": "OrganizationRoleName", + "type": "string", + "description": "The name of the organization role." + }, + { + "name": "Owner", + "type": "string", + "description": "The owner of the resource." + }, + { + "name": "OldTokenExpiration", + "type": "real", + "description": "The previous token expiration timestamp." + }, + { + "name": "ExemptAdministrators", + "type": "boolean", + "description": "Whether administrators are exempt from the rule." + }, + { + "name": "TokenExpiration", + "type": "real", + "description": "The token expiration timestamp." + }, + { + "name": "Policy", + "type": "string", + "description": "The policy associated with the event." + }, + { + "name": "ApplicationClientId", + "type": "string", + "description": "The client ID of the application." + }, + { + "name": "Integration", + "type": "string", + "description": "The integration associated with the event." + }, + { + "name": "RepositoriesRemoved", + "type": "string", + "description": "The repositories removed from the integration or configuration." + }, + { + "name": "RepositorySelection", + "type": "string", + "description": "The repository selection mode, for example all or selected." + }, + { + "name": "NewProjectBaseRole", + "type": "string", + "description": "The new base role for the project." + }, + { + "name": "OldProjectBaseRole", + "type": "string", + "description": "The previous base role for the project." + }, + { + "name": "ProjectId", + "type": "real", + "description": "The numeric identifier of the project." + }, + { + "name": "ProjectNumber", + "type": "real", + "description": "The project number." + }, + { + "name": "PublicProject", + "type": "boolean", + "description": "Whether the project is public." + }, + { + "name": "RulesetBypassActors", + "type": "string", + "description": "The actors that can bypass the ruleset." + }, + { + "name": "RulesetConditions", + "type": "string", + "description": "The conditions of the ruleset." + }, + { + "name": "RulesetEnforcement", + "type": "string", + "description": "The enforcement level of the ruleset." + }, + { + "name": "RulesetId", + "type": "real", + "description": "The numeric identifier of the ruleset." + }, + { + "name": "RulesetName", + "type": "string", + "description": "The name of the ruleset." + }, + { + "name": "RulesetRules", + "type": "string", + "description": "The rules defined in the ruleset." + }, + { + "name": "RulesetSourceType", + "type": "string", + "description": "The source type of the ruleset, for example organization or repository." + }, + { + "name": "RulesetRulesDeleted", + "type": "string", + "description": "The rules deleted from the ruleset." + }, + { + "name": "RulesetConditionsUpdated", + "type": "string", + "description": "The updated conditions of the ruleset." + }, + { + "name": "AdminEnforced", + "type": "boolean", + "description": "Whether the branch protection rule is enforced for administrators." + }, + { + "name": "AllowDeletionsEnforcementLevel", + "type": "real", + "description": "The enforcement level for allowing branch deletions." + }, + { + "name": "AllowForcePushesEnforcementLevel", + "type": "real", + "description": "The enforcement level for allowing force pushes." + }, + { + "name": "AuthorizedActorNames", + "type": "string", + "description": "The names of actors authorized to bypass branch protection." + }, + { + "name": "CreateProtected", + "type": "boolean", + "description": "Whether branch creation is protected." + }, + { + "name": "DismissStaleReviewsOnPush", + "type": "boolean", + "description": "Whether stale pull request reviews are dismissed on new pushes." + }, + { + "name": "EnforcementLevel", + "type": "string", + "description": "The enforcement level of the protection rule." + }, + { + "name": "IgnoreApprovalsFromContributors", + "type": "boolean", + "description": "Whether approvals from contributors are ignored." + }, + { + "name": "LinearHistoryRequirementEnforcementLevel", + "type": "real", + "description": "The enforcement level for requiring linear commit history." + }, + { + "name": "LockAllowsFetchAndMerge", + "type": "boolean", + "description": "Whether locked branches allow fetch and merge." + }, + { + "name": "LockBranchEnforcementLevel", + "type": "real", + "description": "The enforcement level for branch locking." + }, + { + "name": "MergeQueueEnforcementLevel", + "type": "real", + "description": "The enforcement level for merge queue." + }, + { + "name": "PullRequestReviewsEnforcementLevel", + "type": "real", + "description": "The enforcement level for pull request reviews." + }, + { + "name": "RequireCodeOwnerReview", + "type": "boolean", + "description": "Whether code owner review is required." + }, + { + "name": "RequireLastPushApproval", + "type": "boolean", + "description": "Whether approval from someone other than the last pusher is required." + }, + { + "name": "RequiredApprovingReviewCount", + "type": "real", + "description": "The number of required approving reviews." + }, + { + "name": "RequiredDeploymentsEnforcementLevel", + "type": "real", + "description": "The enforcement level for required deployments." + }, + { + "name": "RequiredReviewThreadResolutionEnforcementLevel", + "type": "real", + "description": "The enforcement level for required review thread resolution." + }, + { + "name": "RequiredStatusChecksEnforcementLevel", + "type": "real", + "description": "The enforcement level for required status checks." + }, + { + "name": "SignatureRequirementEnforcementLevel", + "type": "real", + "description": "The enforcement level for commit signature requirements." + }, + { + "name": "StrictRequiredStatusChecksPolicy", + "type": "boolean", + "description": "Whether strict required status checks policy is enabled." + }, + { + "name": "AllowedValues", + "type": "string", + "description": "The allowed values for a custom property." + }, + { + "name": "DefaultValue", + "type": "string", + "description": "The default value for a custom property." + }, + { + "name": "DefinitionId", + "type": "real", + "description": "The numeric identifier of the custom property definition." + }, + { + "name": "Description", + "type": "string", + "description": "The description of the resource or event." + }, + { + "name": "PropertyName", + "type": "string", + "description": "The name of the custom property." + }, + { + "name": "ValueType", + "type": "string", + "description": "The data type of the custom property value." + }, + { + "name": "ValuesEditableBy", + "type": "string", + "description": "Who can edit the custom property values." + }, + { + "name": "OldValuesEditableBy", + "type": "string", + "description": "Who could previously edit the custom property values." + }, + { + "name": "OldDefaultValue", + "type": "string", + "description": "The previous default value for a custom property." + }, + { + "name": "OldRequired", + "type": "boolean", + "description": "Whether the custom property was previously required." + }, + { + "name": "Required", + "type": "boolean", + "description": "Whether the custom property is required." + }, + { + "name": "Enablement", + "type": "string", + "description": "The enablement state of a feature or configuration." + }, + { + "name": "OwnerType", + "type": "string", + "description": "The type of the owner, for example user or organization." + }, + { + "name": "CommitId", + "type": "string", + "description": "The commit identifier associated with the event." + }, + { + "name": "RuleSuiteId", + "type": "real", + "description": "The numeric identifier of the rule suite evaluation." + }, + { + "name": "Referrer", + "type": "string", + "description": "The referrer URL or source." + }, + { + "name": "Reasons", + "type": "string", + "description": "The reasons for the action or decision." + }, + { + "name": "OverriddenCodes", + "type": "string", + "description": "The codes that were overridden." + }, + { + "name": "After", + "type": "string", + "description": "The state after the change." + }, + { + "name": "Before", + "type": "string", + "description": "The state before the change." + }, + { + "name": "Branch", + "type": "string", + "description": "The branch associated with the event." + }, + { + "name": "IssueTypeName", + "type": "string", + "description": "The name of the issue type." + }, + { + "name": "OldDescription", + "type": "string", + "description": "The previous description before the change." + }, + { + "name": "OldEnabled", + "type": "boolean", + "description": "Whether the feature was previously enabled." + }, + { + "name": "OldIssueTypeName", + "type": "string", + "description": "The previous issue type name before the change." + }, + { + "name": "NewAccess", + "type": "string", + "description": "The new access level after the change." + }, + { + "name": "OldAccess", + "type": "string", + "description": "The previous access level before the change." + }, + { + "name": "UpdatedAllowedTypes", + "type": "boolean", + "description": "Whether the allowed types were updated." + }, + { + "name": "NewPolicy", + "type": "string", + "description": "The new policy after the change." + }, + { + "name": "NewRepoRunnersPolicy", + "type": "string", + "description": "The new repository runners policy after the change." + }, + { + "name": "OldRepoRunnersPolicy", + "type": "string", + "description": "The previous repository runners policy." + }, + { + "name": "Limit", + "type": "real", + "description": "The limit value associated with the event." + }, + { + "name": "RunnerGroupRestrictedToWorkflows", + "type": "boolean", + "description": "Whether the runner group is restricted to specific workflows." + }, + { + "name": "RunnerGroupSelectedWorkflowRefs", + "type": "string", + "description": "The workflow references selected for the runner group." + }, + { + "name": "RunnerGroupAllowPublic", + "type": "boolean", + "description": "Whether the runner group allows public repositories." + }, + { + "name": "IpAllowListEntry", + "type": "string", + "description": "The IP allow list entry." + }, + { + "name": "TwoFactorMethod", + "type": "string", + "description": "The two-factor authentication method used." + }, + { + "name": "AlertNumbers", + "type": "string", + "description": "The alert numbers associated with the event." + }, + { + "name": "CommitOid", + "type": "string", + "description": "The commit object identifier (OID)." + }, + { + "name": "Ref", + "type": "string", + "description": "The Git reference associated with the event." + }, + { + "name": "DefaultForNewPrivateRepos", + "type": "boolean", + "description": "Whether the configuration is the default for new private repositories." + }, + { + "name": "DefaultForNewPublicRepos", + "type": "boolean", + "description": "Whether the configuration is the default for new public repositories." + }, + { + "name": "DomainName", + "type": "string", + "description": "The domain name associated with the event." + }, + { + "name": "Key", + "type": "string", + "description": "The key associated with the event." + }, + { + "name": "SecurityConfigurationCodeScanning", + "type": "string", + "description": "The code scanning setting of the security configuration." + }, + { + "name": "SecurityConfigurationCodeSecuritySkuEnabled", + "type": "boolean", + "description": "Whether the code security SKU is enabled in the security configuration." + }, + { + "name": "SecurityConfigurationCreatedAt", + "type": "datetime", + "description": "The creation date of the security configuration." + }, + { + "name": "SecurityConfigurationDependabotAlerts", + "type": "string", + "description": "The Dependabot alerts setting of the security configuration." + }, + { + "name": "SecurityConfigurationDependabotSecurityUpdates", + "type": "string", + "description": "The Dependabot security updates setting of the security configuration." + }, + { + "name": "SecurityConfigurationDependencyGraph", + "type": "string", + "description": "The dependency graph setting of the security configuration." + }, + { + "name": "SecurityConfigurationDependencyGraphAutosubmitAction", + "type": "string", + "description": "The dependency graph autosubmit action setting of the security configuration." + }, + { + "name": "SecurityConfigurationDescription", + "type": "string", + "description": "The description of the security configuration." + }, + { + "name": "SecurityConfigurationEnableGhas", + "type": "boolean", + "description": "Whether GitHub Advanced Security is enabled in the security configuration." + }, + { + "name": "SecurityConfigurationPrivateVulnerabilityReporting", + "type": "string", + "description": "The private vulnerability reporting setting of the security configuration." + }, + { + "name": "SecurityConfigurationSecretProtectionSkuEnabled", + "type": "boolean", + "description": "Whether the secret protection SKU is enabled in the security configuration." + }, + { + "name": "SecurityConfigurationSecretScanning", + "type": "string", + "description": "The secret scanning setting of the security configuration." + }, + { + "name": "SecurityConfigurationSecretScanningDelegatedBypass", + "type": "string", + "description": "The secret scanning delegated bypass setting of the security configuration." + }, + { + "name": "SecurityConfigurationSecretScanningGenericSecrets", + "type": "string", + "description": "The secret scanning generic secrets setting of the security configuration." + }, + { + "name": "SecurityConfigurationSecretScanningNonProviderPatterns", + "type": "string", + "description": "The secret scanning non-provider patterns setting of the security configuration." + }, + { + "name": "SecurityConfigurationSecretScanningPushProtection", + "type": "string", + "description": "The secret scanning push protection setting of the security configuration." + }, + { + "name": "SecurityConfigurationSecretScanningValidityChecks", + "type": "string", + "description": "The secret scanning validity checks setting of the security configuration." + }, + { + "name": "SecurityConfigurationUpdatedAt", + "type": "datetime", + "description": "The last update date of the security configuration." + }, + { + "name": "ThreatModel", + "type": "string", + "description": "The threat model associated with the event." + }, + { + "name": "QuerySuite", + "type": "string", + "description": "The code scanning query suite." + }, + { + "name": "VulnerabilityAlertRuleActionsAlertActionsAutoDismiss", + "type": "string", + "description": "The auto-dismiss setting for vulnerability alert rule actions." + }, + { + "name": "VulnerabilityAlertRuleActionsVersion", + "type": "real", + "description": "The version of the vulnerability alert rule actions." + }, + { + "name": "VulnerabilityAlertRuleConditionsCwe", + "type": "string", + "description": "The CWE conditions for the vulnerability alert rule." + }, + { + "name": "VulnerabilityAlertRuleConditionsEcosystem", + "type": "string", + "description": "The ecosystem conditions for the vulnerability alert rule." + }, + { + "name": "VulnerabilityAlertRuleConditionsScope", + "type": "string", + "description": "The scope conditions for the vulnerability alert rule." + }, + { + "name": "VulnerabilityAlertRuleId", + "type": "real", + "description": "The numeric identifier of the vulnerability alert rule." + }, + { + "name": "VulnerabilityAlertRuleName", + "type": "string", + "description": "The name of the vulnerability alert rule." + }, + { + "name": "DismissalApproverId", + "type": "real", + "description": "The numeric identifier of the user who approved the dismissal." + }, + { + "name": "SsoUrl", + "type": "string", + "description": "The single sign-on URL." + }, + { + "name": "Issuer", + "type": "string", + "description": "The issuer of the SSO or SAML identity." + }, + { + "name": "ExternalIdentityUsername", + "type": "string", + "description": "The username of the external identity." + }, + { + "name": "ExternalIdentityNameid", + "type": "string", + "description": "The NameID of the external identity." + }, + { + "name": "AuditLogStreamResult", + "type": "string", + "description": "The result of the audit log stream operation." + }, + { + "name": "AuditLogStreamSinkDetails", + "type": "string", + "description": "The details of the audit log stream sink." + }, + { + "name": "AuditLogStreamId", + "type": "real", + "description": "The numeric identifier of the audit log stream." + }, + { + "name": "AuditLogStreamSink", + "type": "string", + "description": "The sink type of the audit log stream." + }, + { + "name": "Repository", + "type": "string", + "description": "The name of the repository associated with the event." + }, + { + "name": "RepositoryId", + "type": "real", + "description": "The numeric identifier of the repository." + }, + { + "name": "TokenScopes", + "type": "string", + "description": "The scopes associated with the token used for authentication." + }, + { + "name": "RequestMethod", + "type": "string", + "description": "The HTTP request method, for example GET or POST." + }, + { + "name": "QueryString", + "type": "string", + "description": "The query string from the HTTP request URL." + }, + { + "name": "RequestBody", + "type": "string", + "description": "The body of the HTTP request." + }, + { + "name": "StatusCode", + "type": "real", + "description": "The HTTP response status code." + }, + { + "name": "UrlPath", + "type": "string", + "description": "The URL path of the HTTP request." + }, + { + "name": "Route", + "type": "string", + "description": "The API route associated with the event." + }, + { + "name": "RateLimitRemaining", + "type": "real", + "description": "The number of API rate limit requests remaining." + } + ] + } + } +} \ No newline at end of file diff --git a/Solutions/GitHub/Package/3.4.0.zip b/Solutions/GitHub/Package/3.4.0.zip new file mode 100644 index 00000000000..2f40ce9b0d8 Binary files /dev/null and b/Solutions/GitHub/Package/3.4.0.zip differ diff --git a/Solutions/GitHub/Package/mainTemplate.json b/Solutions/GitHub/Package/mainTemplate.json index 674fc3207be..692996f40fc 100644 --- a/Solutions/GitHub/Package/mainTemplate.json +++ b/Solutions/GitHub/Package/mainTemplate.json @@ -63,7 +63,7 @@ "email": "support@microsoft.com", "_email": "[variables('email')]", "_solutionName": "GitHub", - "_solutionVersion": "3.3.1", + "_solutionVersion": "3.4.0", "solutionId": "microsoftcorporation1622712991604.sentinel4github", "_solutionId": "[variables('solutionId')]", "workbookVersion1": "1.0.1", @@ -221,7 +221,7 @@ "_parserName1": "[concat(parameters('workspace'),'/','GitHubAuditData')]", "_parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'GitHubAuditData')]", "parserTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('GitHubAuditData-Parser')))]", - "parserVersion1": "1.0.0", + "parserVersion1": "1.1.0", "parserContentId1": "GitHubAuditData-Parser" }, "parserObject2": { @@ -252,7 +252,7 @@ "parserVersion5": "1.0.0", "parserContentId5": "githubscanaudit-Parser" }, - "dataConnectorCCPVersion": "3.3.1", + "dataConnectorCCPVersion": "3.4.0", "_dataConnectorContentIdConnectorDefinition1": "GitHubAuditBlobConnector", "dataConnectorTemplateNameConnectorDefinition1": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentIdConnectorDefinition1')))]", "_dataConnectorContentIdConnections1": "GitHubAuditBlobConnectorConnections", @@ -303,7 +303,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "GitHubAdvancedSecurity Workbook with template version 3.3.1", + "description": "GitHubAdvancedSecurity Workbook with template version 3.4.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion1')]", @@ -391,7 +391,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "GitHub Workbook with template version 3.3.1", + "description": "GitHub Workbook with template version 3.4.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion2')]", @@ -479,7 +479,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "GitHub - A payment method was removed_AnalyticalRules Analytics Rule with template version 3.3.1", + "description": "GitHub - A payment method was removed_AnalyticalRules Analytics Rule with template version 3.4.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]", @@ -505,7 +505,6 @@ "triggerOperator": "GreaterThan", "triggerThreshold": 0, "status": "Available", - "requiredDataConnectors": [], "tactics": [ "InitialAccess" ], @@ -514,21 +513,21 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "Actor" + "columnName": "Actor", + "identifier": "FullName" }, { - "identifier": "Name", - "columnName": "AccountName" + "columnName": "AccountName", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "AccountUPNSuffix" + "columnName": "AccountUPNSuffix", + "identifier": "UPNSuffix" } - ], - "entityType": "Account" + ] } ] } @@ -584,7 +583,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "GitHub - Activities from Infrequent Country_AnalyticalRules Analytics Rule with template version 3.3.1", + "description": "GitHub - Activities from Infrequent Country_AnalyticalRules Analytics Rule with template version 3.4.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]", @@ -610,7 +609,6 @@ "triggerOperator": "GreaterThan", "triggerThreshold": 0, "status": "Available", - "requiredDataConnectors": [], "tactics": [ "InitialAccess" ], @@ -619,21 +617,21 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "Actor" + "columnName": "Actor", + "identifier": "FullName" }, { - "identifier": "Name", - "columnName": "AccountName" + "columnName": "AccountName", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "AccountUPNSuffix" + "columnName": "AccountUPNSuffix", + "identifier": "UPNSuffix" } - ], - "entityType": "Account" + ] } ] } @@ -689,7 +687,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "GitHub - Oauth application - a client secret was removed_AnalyticalRules Analytics Rule with template version 3.3.1", + "description": "GitHub - Oauth application - a client secret was removed_AnalyticalRules Analytics Rule with template version 3.4.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]", @@ -715,7 +713,6 @@ "triggerOperator": "GreaterThan", "triggerThreshold": 0, "status": "Available", - "requiredDataConnectors": [], "tactics": [ "InitialAccess" ], @@ -724,21 +721,21 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "Actor" + "columnName": "Actor", + "identifier": "FullName" }, { - "identifier": "Name", - "columnName": "AccountName" + "columnName": "AccountName", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "AccountUPNSuffix" + "columnName": "AccountUPNSuffix", + "identifier": "UPNSuffix" } - ], - "entityType": "Account" + ] } ] } @@ -794,7 +791,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "GitHub - Repository was created_AnalyticalRules Analytics Rule with template version 3.3.1", + "description": "GitHub - Repository was created_AnalyticalRules Analytics Rule with template version 3.4.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject4').analyticRuleVersion4]", @@ -820,7 +817,6 @@ "triggerOperator": "GreaterThan", "triggerThreshold": 0, "status": "Available", - "requiredDataConnectors": [], "tactics": [ "InitialAccess" ], @@ -829,21 +825,21 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "Actor" + "columnName": "Actor", + "identifier": "FullName" }, { - "identifier": "Name", - "columnName": "AccountName" + "columnName": "AccountName", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "AccountUPNSuffix" + "columnName": "AccountUPNSuffix", + "identifier": "UPNSuffix" } - ], - "entityType": "Account" + ] } ] } @@ -899,7 +895,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "GitHub - Repository was destroyed_AnalyticalRules Analytics Rule with template version 3.3.1", + "description": "GitHub - Repository was destroyed_AnalyticalRules Analytics Rule with template version 3.4.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject5').analyticRuleVersion5]", @@ -925,7 +921,6 @@ "triggerOperator": "GreaterThan", "triggerThreshold": 0, "status": "Available", - "requiredDataConnectors": [], "tactics": [ "InitialAccess" ], @@ -934,21 +929,21 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "Actor" + "columnName": "Actor", + "identifier": "FullName" }, { - "identifier": "Name", - "columnName": "AccountName" + "columnName": "AccountName", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "AccountUPNSuffix" + "columnName": "AccountUPNSuffix", + "identifier": "UPNSuffix" } - ], - "entityType": "Account" + ] } ] } @@ -1004,7 +999,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "GitHub - Two Factor Authentication Disabled in GitHub_AnalyticalRules Analytics Rule with template version 3.3.1", + "description": "GitHub - Two Factor Authentication Disabled in GitHub_AnalyticalRules Analytics Rule with template version 3.4.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject6').analyticRuleVersion6]", @@ -1030,7 +1025,6 @@ "triggerOperator": "GreaterThan", "triggerThreshold": 0, "status": "Available", - "requiredDataConnectors": [], "tactics": [ "DefenseEvasion" ], @@ -1039,21 +1033,21 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "Actor" + "columnName": "Actor", + "identifier": "FullName" }, { - "identifier": "Name", - "columnName": "Name" + "columnName": "Name", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "UPNSuffix" + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" } - ], - "entityType": "Account" + ] } ] } @@ -1109,7 +1103,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "GitHub - User visibility Was changed_AnalyticalRules Analytics Rule with template version 3.3.1", + "description": "GitHub - User visibility Was changed_AnalyticalRules Analytics Rule with template version 3.4.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject7').analyticRuleVersion7]", @@ -1135,7 +1129,6 @@ "triggerOperator": "GreaterThan", "triggerThreshold": 0, "status": "Available", - "requiredDataConnectors": [], "tactics": [ "InitialAccess" ], @@ -1144,21 +1137,21 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "Actor" + "columnName": "Actor", + "identifier": "FullName" }, { - "identifier": "Name", - "columnName": "Name" + "columnName": "Name", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "UPNSuffix" + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" } - ], - "entityType": "Account" + ] } ] } @@ -1214,7 +1207,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "GitHub - User was added to the organization_AnalyticalRules Analytics Rule with template version 3.3.1", + "description": "GitHub - User was added to the organization_AnalyticalRules Analytics Rule with template version 3.4.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject8').analyticRuleVersion8]", @@ -1240,7 +1233,6 @@ "triggerOperator": "GreaterThan", "triggerThreshold": 0, "status": "Available", - "requiredDataConnectors": [], "tactics": [ "InitialAccess" ], @@ -1249,21 +1241,21 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "Actor" + "columnName": "Actor", + "identifier": "FullName" }, { - "identifier": "Name", - "columnName": "Name" + "columnName": "Name", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "UPNSuffix" + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" } - ], - "entityType": "Account" + ] } ] } @@ -1319,7 +1311,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "GitHub - User was blocked_AnalyticalRules Analytics Rule with template version 3.3.1", + "description": "GitHub - User was blocked_AnalyticalRules Analytics Rule with template version 3.4.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject9').analyticRuleVersion9]", @@ -1345,7 +1337,6 @@ "triggerOperator": "GreaterThan", "triggerThreshold": 0, "status": "Available", - "requiredDataConnectors": [], "tactics": [ "InitialAccess" ], @@ -1354,21 +1345,21 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "Actor" + "columnName": "Actor", + "identifier": "FullName" }, { - "identifier": "Name", - "columnName": "Name" + "columnName": "Name", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "UPNSuffix" + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" } - ], - "entityType": "Account" + ] } ] } @@ -1424,7 +1415,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "GitHub - User was invited to the repository_AnalyticalRules Analytics Rule with template version 3.3.1", + "description": "GitHub - User was invited to the repository_AnalyticalRules Analytics Rule with template version 3.4.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject10').analyticRuleVersion10]", @@ -1450,7 +1441,6 @@ "triggerOperator": "GreaterThan", "triggerThreshold": 0, "status": "Available", - "requiredDataConnectors": [], "tactics": [ "InitialAccess" ], @@ -1459,21 +1449,21 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "Actor" + "columnName": "Actor", + "identifier": "FullName" }, { - "identifier": "Name", - "columnName": "Name" + "columnName": "Name", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "UPNSuffix" + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" } - ], - "entityType": "Account" + ] } ] } @@ -1529,7 +1519,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "GitHub - pull request was created_AnalyticalRules Analytics Rule with template version 3.3.1", + "description": "GitHub - pull request was created_AnalyticalRules Analytics Rule with template version 3.4.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject11').analyticRuleVersion11]", @@ -1555,7 +1545,6 @@ "triggerOperator": "GreaterThan", "triggerThreshold": 0, "status": "Available", - "requiredDataConnectors": [], "tactics": [ "InitialAccess" ], @@ -1564,21 +1553,21 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "Actor" + "columnName": "Actor", + "identifier": "FullName" }, { - "identifier": "Name", - "columnName": "AccountName" + "columnName": "AccountName", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "AccountUPNSuffix" + "columnName": "AccountUPNSuffix", + "identifier": "UPNSuffix" } - ], - "entityType": "Account" + ] } ] } @@ -1634,7 +1623,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "GitHub - pull request was merged_AnalyticalRules Analytics Rule with template version 3.3.1", + "description": "GitHub - pull request was merged_AnalyticalRules Analytics Rule with template version 3.4.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject12').analyticRuleVersion12]", @@ -1660,7 +1649,6 @@ "triggerOperator": "GreaterThan", "triggerThreshold": 0, "status": "Available", - "requiredDataConnectors": [], "tactics": [ "InitialAccess" ], @@ -1669,21 +1657,21 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "Actor" + "columnName": "Actor", + "identifier": "FullName" }, { - "identifier": "Name", - "columnName": "AccountName" + "columnName": "AccountName", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "AccountUPNSuffix" + "columnName": "AccountUPNSuffix", + "identifier": "UPNSuffix" } - ], - "entityType": "Account" + ] } ] } @@ -1739,7 +1727,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "NRT Two Factor Authentication Disabled_AnalyticalRules Analytics Rule with template version 3.3.1", + "description": "NRT Two Factor Authentication Disabled_AnalyticalRules Analytics Rule with template version 3.4.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject13').analyticRuleVersion13]", @@ -1761,7 +1749,6 @@ "suppressionDuration": "PT1H", "suppressionEnabled": false, "status": "Available", - "requiredDataConnectors": [], "tactics": [ "DefenseEvasion" ], @@ -1770,21 +1757,21 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "Actor" + "columnName": "Actor", + "identifier": "FullName" }, { - "identifier": "Name", - "columnName": "Name" + "columnName": "Name", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "UPNSuffix" + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" } - ], - "entityType": "Account" + ] } ] } @@ -1840,7 +1827,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Security Vulnerability in Repo_AnalyticalRules Analytics Rule with template version 3.3.1", + "description": "Security Vulnerability in Repo_AnalyticalRules Analytics Rule with template version 3.4.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject14').analyticRuleVersion14]", @@ -1866,7 +1853,6 @@ "triggerOperator": "GreaterThan", "triggerThreshold": 0, "status": "Available", - "requiredDataConnectors": [], "tactics": [ "InitialAccess", "Execution", @@ -1885,13 +1871,13 @@ ], "entityMappings": [ { + "entityType": "URL", "fieldMappings": [ { - "identifier": "Url", - "columnName": "Link" + "columnName": "Link", + "identifier": "Url" } - ], - "entityType": "URL" + ] } ] } @@ -1947,7 +1933,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "First Time User Invite and Add Member to Org_HuntingQueries Hunting Query with template version 3.3.1", + "description": "First Time User Invite and Add Member to Org_HuntingQueries Hunting Query with template version 3.4.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject1').huntingQueryVersion1]", @@ -2032,7 +2018,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Inactive or New Account Usage_HuntingQueries Hunting Query with template version 3.3.1", + "description": "Inactive or New Account Usage_HuntingQueries Hunting Query with template version 3.4.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject2').huntingQueryVersion2]", @@ -2117,7 +2103,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Mass Deletion of Repositories _HuntingQueries Hunting Query with template version 3.3.1", + "description": "Mass Deletion of Repositories _HuntingQueries Hunting Query with template version 3.4.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject3').huntingQueryVersion3]", @@ -2202,7 +2188,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Oauth App Restrictions Disabled_HuntingQueries Hunting Query with template version 3.3.1", + "description": "Oauth App Restrictions Disabled_HuntingQueries Hunting Query with template version 3.4.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject4').huntingQueryVersion4]", @@ -2287,7 +2273,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Org Repositories Default Permissions Change_HuntingQueries Hunting Query with template version 3.3.1", + "description": "Org Repositories Default Permissions Change_HuntingQueries Hunting Query with template version 3.4.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject5').huntingQueryVersion5]", @@ -2372,7 +2358,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Repository Permission Switched to Public_HuntingQueries Hunting Query with template version 3.3.1", + "description": "Repository Permission Switched to Public_HuntingQueries Hunting Query with template version 3.4.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject6').huntingQueryVersion6]", @@ -2457,7 +2443,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "User First Time Repository Delete Activity_HuntingQueries Hunting Query with template version 3.3.1", + "description": "User First Time Repository Delete Activity_HuntingQueries Hunting Query with template version 3.4.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject7').huntingQueryVersion7]", @@ -2542,7 +2528,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "User Grant Access and Grants Other Access_HuntingQueries Hunting Query with template version 3.3.1", + "description": "User Grant Access and Grants Other Access_HuntingQueries Hunting Query with template version 3.4.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject8').huntingQueryVersion8]", @@ -2627,7 +2613,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "GitHubAuditData Data Parser with template version 3.3.1", + "description": "GitHubAuditData Data Parser with template version 3.4.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject1').parserVersion1]", @@ -2644,7 +2630,7 @@ "displayName": "Parser for GitHubAuditData", "category": "Microsoft Sentinel Parser", "functionAlias": "GitHubAuditData", - "query": "let GitHubAuditLogPolling_view = view () {\nGitHubAuditLogPolling_CL\n | extend \n TimeGenerated=unixtime_milliseconds_todatetime(created_at_d),\n Organization=column_ifexists('org_s', ''),\n Action=column_ifexists('action_s', ''),\n Repository=column_ifexists('repo_s', ''),\n Actor=column_ifexists('actor_s', ''),\n Country=column_ifexists('actor_location_country_code_s', ''),\n ImpactedUser=column_ifexists('user_s', ''),\n InvitedUserPermission=column_ifexists('permission_s', ''),\n Visibility=column_ifexists('visibility_s', ''),\n PreviousVisibility=column_ifexists('previous_visibility_s', ''),\n CurrentPermission=column_ifexists('permission_s', ''),\n PreviousPermission=column_ifexists('old_permission_s', ''),\n TeamName=column_ifexists('team_s', ''),\n BlockedUser=column_ifexists('blocked_user_s', '')\n};\nlet GitHubAuditLogsV2_view = view () {\nGitHubAuditLogsV2_CL\n | extend \n TimeGenerated=unixtime_milliseconds_todatetime(CreatedAt),\n Organization=column_ifexists('Org', ''),\n Action=column_ifexists('Action', ''),\n Repository=column_ifexists('Repo', ''),\n Actor=column_ifexists('Actor', ''),\n Country=column_ifexists('CountryCode', ''),\n ImpactedUser=column_ifexists('User', ''),\n InvitedUserPermission=column_ifexists('Permission', ''),\n Visibility=column_ifexists('Visibility', ''),\n PreviousVisibility=column_ifexists('PreviousVisibility', ''),\n CurrentPermission=column_ifexists('Permission', ''),\n PreviousPermission=column_ifexists('OldPermission', ''),\n TeamName=column_ifexists('Team', ''),\n BlockedUser=column_ifexists('BlockedUser', '')\n};\nunion isfuzzy=true (GitHubAuditLogPolling_view), (GitHubAuditLogsV2_view)\n | project\n TimeGenerated,\n Organization,\n Action,\n Repository,\n Actor,\n Country,\n ImpactedUser,\n InvitedUserPermission,\n Visibility,\n PreviousVisibility,\n CurrentPermission,\n PreviousPermission,\n TeamName,\n BlockedUser\n | project-reorder TimeGenerated, Organization, Action, Repository, Actor, Country, ImpactedUser, InvitedUserPermission, Visibility, PreviousVisibility, CurrentPermission, PreviousPermission, TeamName, BlockedUser\n", + "query": "let GitHubAuditLogPolling_view = view () {\nGitHubAuditLogPolling_CL\n | extend \n TimeGenerated=unixtime_milliseconds_todatetime(created_at_d),\n Organization=column_ifexists('org_s', ''),\n Action=column_ifexists('action_s', ''),\n Repository=column_ifexists('repo_s', ''),\n Actor=column_ifexists('actor_s', ''),\n Country=column_ifexists('actor_location_country_code_s', ''),\n ImpactedUser=column_ifexists('user_s', ''),\n InvitedUserPermission=column_ifexists('permission_s', ''),\n Visibility=column_ifexists('visibility_s', ''),\n PreviousVisibility=column_ifexists('previous_visibility_s', ''),\n CurrentPermission=column_ifexists('permission_s', ''),\n PreviousPermission=column_ifexists('old_permission_s', ''),\n TeamName=column_ifexists('team_s', ''),\n BlockedUser=column_ifexists('blocked_user_s', '')\n};\nlet GitHubAuditLogsV2_view = view () {\nGitHubAuditLogsV2_CL\n | extend \n TimeGenerated=unixtime_milliseconds_todatetime(CreatedAt),\n Organization=column_ifexists('Org', ''),\n Action=column_ifexists('Action', ''),\n Repository=column_ifexists('Repo', ''),\n Actor=column_ifexists('Actor', ''),\n Country=column_ifexists('CountryCode', ''),\n ImpactedUser=column_ifexists('User', ''),\n InvitedUserPermission=column_ifexists('Permission', ''),\n Visibility=column_ifexists('Visibility', ''),\n PreviousVisibility=column_ifexists('PreviousVisibility', ''),\n CurrentPermission=column_ifexists('Permission', ''),\n PreviousPermission=column_ifexists('OldPermission', ''),\n TeamName=column_ifexists('Team', ''),\n BlockedUser=column_ifexists('BlockedUser', '')\n};\nlet GitHubAuditLogsV3_view = view () {\nGitHubAuditLogsV3_CL\n | extend \n TimeGenerated=unixtime_milliseconds_todatetime(CreatedAt),\n Organization=column_ifexists('Org', ''),\n Action=column_ifexists('Action', ''),\n Repository=column_ifexists('Repo', ''),\n Actor=column_ifexists('Actor', ''),\n Country=column_ifexists('CountryCode', ''),\n ImpactedUser=column_ifexists('User', ''),\n InvitedUserPermission=column_ifexists('Permission', ''),\n Visibility=column_ifexists('Visibility', ''),\n PreviousVisibility=column_ifexists('PreviousVisibility', ''),\n CurrentPermission=column_ifexists('Permission', ''),\n PreviousPermission=column_ifexists('OldPermission', ''),\n TeamName=column_ifexists('Team', ''),\n BlockedUser=column_ifexists('BlockedUser', '')\n};\nunion isfuzzy=true (GitHubAuditLogPolling_view), (GitHubAuditLogsV2_view), (GitHubAuditLogsV3_view)\n | project\n TimeGenerated,\n Organization,\n Action,\n Repository,\n Actor,\n Country,\n ImpactedUser,\n InvitedUserPermission,\n Visibility,\n PreviousVisibility,\n CurrentPermission,\n PreviousPermission,\n TeamName,\n BlockedUser\n | project-reorder TimeGenerated, Organization, Action, Repository, Actor, Country, ImpactedUser, InvitedUserPermission, Visibility, PreviousVisibility, CurrentPermission, PreviousPermission, TeamName, BlockedUser\n", "functionParameters": "", "version": 2, "tags": [ @@ -2694,8 +2680,8 @@ "contentId": "[variables('parserObject1').parserContentId1]", "contentKind": "Parser", "displayName": "Parser for GitHubAuditData", - "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '1.0.0')))]", - "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '1.0.0')))]", + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '1.1.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '1.1.0')))]", "version": "[variables('parserObject1').parserVersion1]" } }, @@ -2709,7 +2695,7 @@ "displayName": "Parser for GitHubAuditData", "category": "Microsoft Sentinel Parser", "functionAlias": "GitHubAuditData", - "query": "let GitHubAuditLogPolling_view = view () {\nGitHubAuditLogPolling_CL\n | extend \n TimeGenerated=unixtime_milliseconds_todatetime(created_at_d),\n Organization=column_ifexists('org_s', ''),\n Action=column_ifexists('action_s', ''),\n Repository=column_ifexists('repo_s', ''),\n Actor=column_ifexists('actor_s', ''),\n Country=column_ifexists('actor_location_country_code_s', ''),\n ImpactedUser=column_ifexists('user_s', ''),\n InvitedUserPermission=column_ifexists('permission_s', ''),\n Visibility=column_ifexists('visibility_s', ''),\n PreviousVisibility=column_ifexists('previous_visibility_s', ''),\n CurrentPermission=column_ifexists('permission_s', ''),\n PreviousPermission=column_ifexists('old_permission_s', ''),\n TeamName=column_ifexists('team_s', ''),\n BlockedUser=column_ifexists('blocked_user_s', '')\n};\nlet GitHubAuditLogsV2_view = view () {\nGitHubAuditLogsV2_CL\n | extend \n TimeGenerated=unixtime_milliseconds_todatetime(CreatedAt),\n Organization=column_ifexists('Org', ''),\n Action=column_ifexists('Action', ''),\n Repository=column_ifexists('Repo', ''),\n Actor=column_ifexists('Actor', ''),\n Country=column_ifexists('CountryCode', ''),\n ImpactedUser=column_ifexists('User', ''),\n InvitedUserPermission=column_ifexists('Permission', ''),\n Visibility=column_ifexists('Visibility', ''),\n PreviousVisibility=column_ifexists('PreviousVisibility', ''),\n CurrentPermission=column_ifexists('Permission', ''),\n PreviousPermission=column_ifexists('OldPermission', ''),\n TeamName=column_ifexists('Team', ''),\n BlockedUser=column_ifexists('BlockedUser', '')\n};\nunion isfuzzy=true (GitHubAuditLogPolling_view), (GitHubAuditLogsV2_view)\n | project\n TimeGenerated,\n Organization,\n Action,\n Repository,\n Actor,\n Country,\n ImpactedUser,\n InvitedUserPermission,\n Visibility,\n PreviousVisibility,\n CurrentPermission,\n PreviousPermission,\n TeamName,\n BlockedUser\n | project-reorder TimeGenerated, Organization, Action, Repository, Actor, Country, ImpactedUser, InvitedUserPermission, Visibility, PreviousVisibility, CurrentPermission, PreviousPermission, TeamName, BlockedUser\n", + "query": "let GitHubAuditLogPolling_view = view () {\nGitHubAuditLogPolling_CL\n | extend \n TimeGenerated=unixtime_milliseconds_todatetime(created_at_d),\n Organization=column_ifexists('org_s', ''),\n Action=column_ifexists('action_s', ''),\n Repository=column_ifexists('repo_s', ''),\n Actor=column_ifexists('actor_s', ''),\n Country=column_ifexists('actor_location_country_code_s', ''),\n ImpactedUser=column_ifexists('user_s', ''),\n InvitedUserPermission=column_ifexists('permission_s', ''),\n Visibility=column_ifexists('visibility_s', ''),\n PreviousVisibility=column_ifexists('previous_visibility_s', ''),\n CurrentPermission=column_ifexists('permission_s', ''),\n PreviousPermission=column_ifexists('old_permission_s', ''),\n TeamName=column_ifexists('team_s', ''),\n BlockedUser=column_ifexists('blocked_user_s', '')\n};\nlet GitHubAuditLogsV2_view = view () {\nGitHubAuditLogsV2_CL\n | extend \n TimeGenerated=unixtime_milliseconds_todatetime(CreatedAt),\n Organization=column_ifexists('Org', ''),\n Action=column_ifexists('Action', ''),\n Repository=column_ifexists('Repo', ''),\n Actor=column_ifexists('Actor', ''),\n Country=column_ifexists('CountryCode', ''),\n ImpactedUser=column_ifexists('User', ''),\n InvitedUserPermission=column_ifexists('Permission', ''),\n Visibility=column_ifexists('Visibility', ''),\n PreviousVisibility=column_ifexists('PreviousVisibility', ''),\n CurrentPermission=column_ifexists('Permission', ''),\n PreviousPermission=column_ifexists('OldPermission', ''),\n TeamName=column_ifexists('Team', ''),\n BlockedUser=column_ifexists('BlockedUser', '')\n};\nlet GitHubAuditLogsV3_view = view () {\nGitHubAuditLogsV3_CL\n | extend \n TimeGenerated=unixtime_milliseconds_todatetime(CreatedAt),\n Organization=column_ifexists('Org', ''),\n Action=column_ifexists('Action', ''),\n Repository=column_ifexists('Repo', ''),\n Actor=column_ifexists('Actor', ''),\n Country=column_ifexists('CountryCode', ''),\n ImpactedUser=column_ifexists('User', ''),\n InvitedUserPermission=column_ifexists('Permission', ''),\n Visibility=column_ifexists('Visibility', ''),\n PreviousVisibility=column_ifexists('PreviousVisibility', ''),\n CurrentPermission=column_ifexists('Permission', ''),\n PreviousPermission=column_ifexists('OldPermission', ''),\n TeamName=column_ifexists('Team', ''),\n BlockedUser=column_ifexists('BlockedUser', '')\n};\nunion isfuzzy=true (GitHubAuditLogPolling_view), (GitHubAuditLogsV2_view), (GitHubAuditLogsV3_view)\n | project\n TimeGenerated,\n Organization,\n Action,\n Repository,\n Actor,\n Country,\n ImpactedUser,\n InvitedUserPermission,\n Visibility,\n PreviousVisibility,\n CurrentPermission,\n PreviousPermission,\n TeamName,\n BlockedUser\n | project-reorder TimeGenerated, Organization, Action, Repository, Actor, Country, ImpactedUser, InvitedUserPermission, Visibility, PreviousVisibility, CurrentPermission, PreviousPermission, TeamName, BlockedUser\n", "functionParameters": "", "version": 2, "tags": [ @@ -2759,7 +2745,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "GitHubCodeScanningData Data Parser with template version 3.3.1", + "description": "GitHubCodeScanningData Data Parser with template version 3.4.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject2').parserVersion2]", @@ -2891,7 +2877,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "GitHubDependabotData Data Parser with template version 3.3.1", + "description": "GitHubDependabotData Data Parser with template version 3.4.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject3').parserVersion3]", @@ -3023,7 +3009,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "GitHubSecretScanningData Data Parser with template version 3.3.1", + "description": "GitHubSecretScanningData Data Parser with template version 3.4.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject4').parserVersion4]", @@ -3155,7 +3141,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "GitHubScanAudit Data Parser with template version 3.3.1", + "description": "GitHubScanAudit Data Parser with template version 3.4.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject5').parserVersion5]", @@ -3312,19 +3298,19 @@ { "metricName": "Total events received", "legend": "GitHubAuditLogEvents", - "baseQuery": "GitHubAuditLogsV2_CL" + "baseQuery": "GitHubAuditLogsV3_CL" } ], "sampleQueries": [ { "description": "GitHub Audit Logs", - "query": "GitHubAuditLogsV2_CL | take 10" + "query": "GitHubAuditLogsV3_CL | take 10" } ], "dataTypes": [ { - "name": "GitHubAuditLogsV2_CL", - "lastDataReceivedQuery": "GitHubAuditLogsV2_CL | summarize Time = max(TimeGenerated) | where isnotempty(Time)" + "name": "GitHubAuditLogsV3_CL", + "lastDataReceivedQuery": "GitHubAuditLogsV3_CL | summarize Time = max(TimeGenerated) | where isnotempty(Time)" } ], "connectivityCriteria": [ @@ -3394,7 +3380,7 @@ "type": "Textbox", "parameters": { "label": "The blob container URL you want to collect data from", - "placeholder": "", + "placeholder": "Enter blob container URL", "type": "text", "name": "blobContainerUri" } @@ -3403,7 +3389,7 @@ "type": "Textbox", "parameters": { "label": "The blob folder name in the container. Optional.", - "placeholder": "", + "placeholder": "optional-folder-name", "type": "text", "name": "blobFolderName" } @@ -3430,7 +3416,7 @@ "type": "Textbox", "parameters": { "label": "The blob container's storage account subscription id", - "placeholder": "", + "placeholder": "00000000-0000-0000-0000-000000000000", "type": "text", "name": "StorageAccountSubscription" } @@ -3439,7 +3425,7 @@ "type": "Textbox", "parameters": { "label": "The Event Grid system topic name for the storage account, if one exists; otherwise, leave empty.", - "placeholder": "", + "placeholder": "eg-system-topic-name", "type": "text", "name": "EGSystemTopicName", "description": "The data flow uses Event Grid to send blob-created event notifications. There can be only one Event Grid system topic per storage account.\nNavigate to your storage account and check the **Events** section. If a topic already exists, provide its name. Otherwise, leave this field empty." @@ -3457,18 +3443,15 @@ }, { "title": "Blob Lifecycle Policy (Recommended)", - "description": "To prevent unbounded storage growth, configure a [lifecycle management policy](https://learn.microsoft.com/en-us/azure/storage/blobs/lifecycle-management-overview) on your storage account to automatically delete blobs after a retention period (for example, 7 days). Once the connector ingests the audit logs into Microsoft Sentinel, the source blobs are no longer needed.\n\nTo create a lifecycle rule scoped to your container:\n1. Navigate to your **Storage Account** -> **Data management** -> **Lifecycle management**.\n2. Click **Add a rule** and configure:\n - **Rule name:** for example, `github-audit-cleanup`\n - **Rule scope:** Select **Limit blobs with filters** and set the **Prefix match** to your container name (for example, `my-container/`). This ensures the rule applies only to blobs in that container.\n - **Blob type:** Block blobs.\n - **Base blobs:** Delete blobs that were last modified more than **7 days** ago (adjust as needed).\n3. Save the rule.\n\n> **Note:** Each storage account has a single management policy that can contain multiple rules. Each rule can target a specific container via prefix filters. If you already have a lifecycle policy, add a new rule to the existing policy rather than creating a new one.", - "instructions": [] + "description": "To prevent unbounded storage growth, configure a [lifecycle management policy](https://learn.microsoft.com/en-us/azure/storage/blobs/lifecycle-management-overview) on your storage account to automatically delete blobs after a retention period (for example, 7 days). Once the connector ingests the audit logs into Microsoft Sentinel, the source blobs are no longer needed.\n\nTo create a lifecycle rule scoped to your container:\n1. Navigate to your **Storage Account** -> **Data management** -> **Lifecycle management**.\n2. Click **Add a rule** and configure:\n - **Rule name:** for example, `github-audit-cleanup`\n - **Rule scope:** Select **Limit blobs with filters** and set the **Prefix match** to your container name (for example, `my-container/`). This ensures the rule applies only to blobs in that container.\n - **Blob type:** Block blobs.\n - **Base blobs:** Delete blobs that were last modified more than **7 days** ago (adjust as needed).\n3. Save the rule.\n\n> **Note:** Each storage account has a single management policy that can contain multiple rules. Each rule can target a specific container via prefix filters. If you already have a lifecycle policy, add a new rule to the existing policy rather than creating a new one." }, { "title": "Reference", - "description": "For detailed instructions on setting up the Azure Storage connector to stream logs to Microsoft Sentinel, see [Set up Azure Storage connector](https://learn.microsoft.com/en-us/azure/sentinel/setup-azure-storage-connector).", - "instructions": [] + "description": "For detailed instructions on setting up the Azure Storage connector to stream logs to Microsoft Sentinel, see [Set up Azure Storage connector](https://learn.microsoft.com/en-us/azure/sentinel/setup-azure-storage-connector)." }, { "title": "Troubleshooting", - "description": "If you encounter issues with data ingestion:\n- **Enable the health feature** - If the connector health feature isn't enabled, enable it to monitor connector status and detect issues early.\n- **Enable diagnostic logs** - Consider enabling diagnostic logs for both the **Storage Account** and **Event Grid** resources to help identify and troubleshoot health issues.\n- For more details, see [Troubleshoot Azure Storage Blob connector issues](https://review.learn.microsoft.com/en-us/azure/sentinel/azure-storage-blob-connector-troubleshoot?branch=main).", - "instructions": [] + "description": "If you encounter issues with data ingestion:\n- **Enable the health feature** - If the connector health feature isn't enabled, enable it to monitor connector status and detect issues early.\n- **Enable diagnostic logs** - Consider enabling diagnostic logs for both the **Storage Account** and **Event Grid** resources to help identify and troubleshoot health issues.\n- For more details, see [Troubleshoot Azure Storage Blob connector issues](https://review.learn.microsoft.com/en-us/azure/sentinel/azure-storage-blob-connector-troubleshoot?branch=main)." } ] } @@ -4444,6 +4427,46 @@ "name": "audit_log_stream_sink", "type": "string" }, + { + "name": "repository", + "type": "string" + }, + { + "name": "repository_id", + "type": "real" + }, + { + "name": "token_scopes", + "type": "string" + }, + { + "name": "request_method", + "type": "string" + }, + { + "name": "query_string", + "type": "string" + }, + { + "name": "request_body", + "type": "string" + }, + { + "name": "status_code", + "type": "real" + }, + { + "name": "url_path", + "type": "string" + }, + { + "name": "route", + "type": "string" + }, + { + "name": "rate_limit_remaining", + "type": "real" + }, { "name": "actor_location", "type": "dynamic" @@ -4454,23 +4477,1247 @@ "destinations": { "logAnalytics": [ { - "workspaceResourceId": "[variables('workspaceResourceId')]", - "name": "clv2ws1" + "workspaceResourceId": "[variables('workspaceResourceId')]", + "name": "clv2ws1" + } + ] + }, + "dataFlows": [ + { + "streams": [ + "Custom-GitHubAuditLogs" + ], + "destinations": [ + "clv2ws1" + ], + "outputStream": "Custom-GitHubAuditLogsV3_CL", + "transformKql": "source | extend actor_locationDynamic = parse_json(actor_location) | extend CountryCode = tostring(actor_locationDynamic['country_code']) | extend TimestampLong = tolong(['@timestamp']) | extend TimeGenerated = datetime(1970-01-01) + (TimestampLong * 1ms) | project TimeGenerated, CreatedAt = created_at, Org = org, Action = action, Repo = repo, Actor = actor, CountryCode, User = user, Permission = permission, Visibility = visibility, PreviousVisibility = previous_visibility, OldPermission = old_permission, Team = team, BlockedUser = blocked_user, OperationType = operation_type, PublicRepo = repository_public, OrgId = org_id, InviteeEmail = invitee_email, ActorIp = actor_ip, ActorId = actor_id, ActorIsBot = actor_is_bot, BusinessId = business_id, RepoId = repo_id, UserAgent = user_agent, UserId = user_id, Email = email, RepositorySecurityConfigurationFailureReason = repository_security_configuration_failure_reason, RepositorySecurityConfigurationState = repository_security_configuration_state, OauthApplication = oauth_application, OauthApplicationUrl = oauth_application_url, OauthApplicationState = oauth_application_state, Reason = reason, MembershipType = membership_type, UserCanInviteCollaborators = user_can_invite_collaborators, CanCreateRepositories = can_create_repositories, SecurityConfigurationId = security_configuration_id, InvitationId = invitation_id, Topic = topic, DocumentId = _document_id, Business = business, RequestCategory = request_category, OauthApplicationId = oauth_application_id, OldRepoPermission = old_repo_permission, NewRepoPermission = new_repo_permission, RepositoriesRemovedNames = repositories_removed_names, Active = active, ActiveWas = active_was, Data = tostring(data), Config = tostring(config), ConfigWas = tostring(config_was), ContentType = content_type, DeployKeyFingerprint = deploy_key_fingerprint, Emoji = emoji, Events = tostring(events), EventsWere = tostring(events_were), Explanation = explanation, Fingerprint = fingerprint, HookId = hook_id, LimitedAvailability = limited_availability, Message = message, Name = name, OldUser = old_user, OpensshPublicKey = openssh_public_key, ReadOnly = read_only, TargetLogin = target_login, TransportProtocol = transport_protocol, TransportProtocolName = transport_protocol_name, StartedAt = started_at, CompletedAt = completed_at, Conclusion = conclusion, Event = event, HeadBranch = head_branch, HeadSha = head_sha, RunAttempt = run_attempt, RunNumber = run_number, TriggerId = trigger_id, WorkflowId = workflow_id, WorkflowRunId = workflow_run_id, EnvironmentName = environment_name, IsHostedRunner = is_hosted_runner, JobName = job_name, JobWorkflowRef = job_workflow_ref, RunnerGroupId = runner_group_id, RunnerGroupName = runner_group_name, RunnerId = runner_id, RunnerLabels = runner_labels, RunnerName = runner_name, SecretsPassed = secrets_passed, HashedToken = hashed_token, ProgrammaticAccessType = programmatic_access_type, RequestAccessSecurityHeader = request_access_security_header, TokenId = token_id, PullRequestId = pull_request_id, PullRequestTitle = pull_request_title, PullRequestUrl = pull_request_url, OldRolePermissions = old_role_permissions, RolePermissions = role_permissions, RequestId = request_id, BaseRole = base_role, CustomPattern = custom_pattern, Source = source, ActivityType = type, GhsaId = ghsa_id, Recipient = recipient, RunnerOwnerType = runner_owner_type, OrganizationRoleId = organization_role_id, OrganizationRoleName = organization_role_name, Owner = owner, OldTokenExpiration = old_token_expiration, ExemptAdministrators = exempt_administrators, TokenExpiration = token_expiration, Policy = policy, ApplicationClientId = application_client_id, Integration = integration, RepositoriesRemoved = repositories_removed, RepositorySelection = repository_selection, NewProjectBaseRole = new_project_base_role, OldProjectBaseRole = old_project_base_role, ProjectId = project_id, ProjectNumber = project_number, PublicProject = public_project, RulesetBypassActors = ruleset_bypass_actors, RulesetConditions = ruleset_conditions, RulesetEnforcement = ruleset_enforcement, RulesetId = ruleset_id, RulesetName = ruleset_name, RulesetRules = ruleset_rules, RulesetSourceType = ruleset_source_type, RulesetRulesDeleted = ruleset_rules_deleted, RulesetConditionsUpdated = ruleset_conditions_updated, AdminEnforced = admin_enforced, AllowDeletionsEnforcementLevel = allow_deletions_enforcement_level, AllowForcePushesEnforcementLevel = allow_force_pushes_enforcement_level, AuthorizedActorNames = authorized_actor_names, CreateProtected = create_protected, DismissStaleReviewsOnPush = dismiss_stale_reviews_on_push, EnforcementLevel = enforcement_level, IgnoreApprovalsFromContributors = ignore_approvals_from_contributors, LinearHistoryRequirementEnforcementLevel = linear_history_requirement_enforcement_level, LockAllowsFetchAndMerge = lock_allows_fetch_and_merge, LockBranchEnforcementLevel = lock_branch_enforcement_level, MergeQueueEnforcementLevel = merge_queue_enforcement_level, PullRequestReviewsEnforcementLevel = pull_request_reviews_enforcement_level, RequireCodeOwnerReview = require_code_owner_review, RequireLastPushApproval = require_last_push_approval, RequiredApprovingReviewCount = required_approving_review_count, RequiredDeploymentsEnforcementLevel = required_deployments_enforcement_level, RequiredReviewThreadResolutionEnforcementLevel = required_review_thread_resolution_enforcement_level, RequiredStatusChecksEnforcementLevel = required_status_checks_enforcement_level, SignatureRequirementEnforcementLevel = signature_requirement_enforcement_level, StrictRequiredStatusChecksPolicy = strict_required_status_checks_policy, AllowedValues = allowed_values, DefaultValue = default_value, DefinitionId = definition_id, Description = description, PropertyName = property_name, ValueType = value_type, ValuesEditableBy = values_editable_by, OldValuesEditableBy = old_values_editable_by, OldDefaultValue = old_default_value, OldRequired = old_required, Required = required, Enablement = enablement, OwnerType = owner_type, CommitId = commit_id, RuleSuiteId = rule_suite_id, Referrer = referrer, Reasons = reasons, OverriddenCodes = overridden_codes, After = after, Before = before, Branch = branch, IssueTypeName = issue_type_name, OldDescription = old_description, OldEnabled = old_enabled, OldIssueTypeName = old_issue_type_name, NewAccess = new_access, OldAccess = old_access, UpdatedAllowedTypes = updated_allowed_types, NewPolicy = new_policy, NewRepoRunnersPolicy = new_repo_runners_policy, OldRepoRunnersPolicy = old_repo_runners_policy, Limit = ['limit'], RunnerGroupRestrictedToWorkflows = runner_group_restricted_to_workflows, RunnerGroupSelectedWorkflowRefs = runner_group_selected_workflow_refs, RunnerGroupAllowPublic = runner_group_allow_public, IpAllowListEntry = ip_allow_list_entry, TwoFactorMethod = two_factor_method, AlertNumbers = alert_numbers, CommitOid = commit_oid, Ref = ref, DefaultForNewPrivateRepos = default_for_new_private_repos, DefaultForNewPublicRepos = default_for_new_public_repos, DomainName = domain_name, Key = key, SecurityConfigurationCodeScanning = security_configuration_code_scanning, SecurityConfigurationCodeSecuritySkuEnabled = security_configuration_code_security_sku_enabled, SecurityConfigurationCreatedAt = security_configuration_created_at, SecurityConfigurationDependabotAlerts = security_configuration_dependabot_alerts, SecurityConfigurationDependabotSecurityUpdates = security_configuration_dependabot_security_updates, SecurityConfigurationDependencyGraph = security_configuration_dependency_graph, SecurityConfigurationDependencyGraphAutosubmitAction = security_configuration_dependency_graph_autosubmit_action, SecurityConfigurationDescription = security_configuration_description, SecurityConfigurationEnableGhas = security_configuration_enable_ghas, SecurityConfigurationName = security_configuration_name, SecurityConfigurationPrivateVulnerabilityReporting = security_configuration_private_vulnerability_reporting, SecurityConfigurationSecretProtectionSkuEnabled = security_configuration_secret_protection_sku_enabled, SecurityConfigurationSecretScanning = security_configuration_secret_scanning, SecurityConfigurationSecretScanningDelegatedBypass = security_configuration_secret_scanning_delegated_bypass, SecurityConfigurationSecretScanningGenericSecrets = security_configuration_secret_scanning_generic_secrets, SecurityConfigurationSecretScanningNonProviderPatterns = security_configuration_secret_scanning_non_provider_patterns, SecurityConfigurationSecretScanningPushProtection = security_configuration_secret_scanning_push_protection, SecurityConfigurationSecretScanningValidityChecks = security_configuration_secret_scanning_validity_checks, SecurityConfigurationUpdatedAt = security_configuration_updated_at, ThreatModel = threat_model, QuerySuite = query_suite, VulnerabilityAlertRuleActionsAlertActionsAutoDismiss = vulnerability_alert_rule_actions_alert_actions_auto_dismiss, VulnerabilityAlertRuleActionsVersion = vulnerability_alert_rule_actions_version, VulnerabilityAlertRuleConditionsCwe = vulnerability_alert_rule_conditions_cwe, VulnerabilityAlertRuleConditionsEcosystem = vulnerability_alert_rule_conditions_ecosystem, VulnerabilityAlertRuleConditionsScope = vulnerability_alert_rule_conditions_scope, VulnerabilityAlertRuleId = vulnerability_alert_rule_id, VulnerabilityAlertRuleName = vulnerability_alert_rule_name, DismissalApproverId = dismissal_approver_id, SsoUrl = sso_url, Issuer = issuer, ExternalIdentityUsername = external_identity_username, ExternalIdentityNameid = external_identity_nameid, AuditLogStreamResult = audit_log_stream_result, AuditLogStreamSinkDetails = audit_log_stream_sink_details, AuditLogStreamId = audit_log_stream_id, AuditLogStreamSink = audit_log_stream_sink, Repository = repository, RepositoryId = repository_id, TokenScopes = token_scopes, RequestMethod = request_method, QueryString = query_string, RequestBody = request_body, StatusCode = status_code, UrlPath = url_path, Route = route, RateLimitRemaining = rate_limit_remaining" + } + ] + } + }, + { + "name": "GitHubAuditLogsV3_CL", + "apiVersion": "2022-10-01", + "type": "Microsoft.OperationalInsights/workspaces/tables", + "location": "[parameters('workspace-location')]", + "kind": null, + "properties": { + "schema": { + "name": "GitHubAuditLogsV3_CL", + "columns": [ + { + "name": "TimeGenerated", + "type": "datetime" + }, + { + "name": "Org", + "type": "string", + "description": "The GitHub organization associated with the audit log event." + }, + { + "name": "Action", + "type": "string", + "description": "The name of the action that was performed, for example user.login or repo.create." + }, + { + "name": "Repo", + "type": "string", + "description": "The name of the repository associated with the event." + }, + { + "name": "Actor", + "type": "string", + "description": "The actor who performed the action." + }, + { + "name": "CountryCode", + "type": "string", + "description": "The country code from the actor's location." + }, + { + "name": "User", + "type": "string", + "description": "The user that was affected by the action performed." + }, + { + "name": "Permission", + "type": "string", + "description": "The permission level granted or associated with the action." + }, + { + "name": "Visibility", + "type": "string", + "description": "The repository visibility, for example public or private." + }, + { + "name": "PreviousVisibility", + "type": "string", + "description": "The previous repository visibility before the change." + }, + { + "name": "OldPermission", + "type": "string", + "description": "The previous permission level before the change." + }, + { + "name": "Team", + "type": "string", + "description": "The team associated with the audit log event." + }, + { + "name": "BlockedUser", + "type": "string", + "description": "The username of the account being blocked." + }, + { + "name": "OperationType", + "type": "string", + "description": "The type of operation performed, for example create, modify, or delete." + }, + { + "name": "PublicRepo", + "type": "boolean", + "description": "Whether the repository is public." + }, + { + "name": "OrgId", + "type": "real", + "description": "The numeric identifier of the GitHub organization." + }, + { + "name": "CreatedAt", + "type": "real", + "description": "The time the audit log event was recorded, given as a Unix timestamp in milliseconds." + }, + { + "name": "InviteeEmail", + "type": "string", + "description": "The email address of the person invited." + }, + { + "name": "ActorIp", + "type": "string", + "description": "The IP address of the actor who performed the action.", + "dataTypeHint": "IP" + }, + { + "name": "ActorId", + "type": "real", + "description": "The numeric identifier of the actor who performed the action." + }, + { + "name": "ActorIsBot", + "type": "boolean", + "description": "Whether the actor is a bot account." + }, + { + "name": "BusinessId", + "type": "real", + "description": "The numeric identifier of the GitHub Enterprise business." + }, + { + "name": "RepoId", + "type": "real", + "description": "The numeric identifier of the repository." + }, + { + "name": "UserAgent", + "type": "string", + "description": "The user agent string of the client that initiated the action." + }, + { + "name": "UserId", + "type": "real", + "description": "The numeric identifier of the affected user." + }, + { + "name": "Email", + "type": "string", + "description": "The email address associated with the event." + }, + { + "name": "RepositorySecurityConfigurationFailureReason", + "type": "dynamic", + "description": "The reason a repository security configuration failed to apply." + }, + { + "name": "RepositorySecurityConfigurationState", + "type": "dynamic", + "description": "The state of the repository security configuration." + }, + { + "name": "SecurityConfigurationName", + "type": "string", + "description": "The name of the security configuration." + }, + { + "name": "OauthApplication", + "type": "string", + "description": "The name of the OAuth application involved in the event." + }, + { + "name": "OauthApplicationUrl", + "type": "string", + "description": "The URL of the OAuth application." + }, + { + "name": "OauthApplicationState", + "type": "string", + "description": "The state of the OAuth application." + }, + { + "name": "Reason", + "type": "string", + "description": "The reason for the action or event." + }, + { + "name": "MembershipType", + "type": "string", + "description": "The type of membership, for example admin or member." + }, + { + "name": "UserCanInviteCollaborators", + "type": "boolean", + "description": "Whether the user has permission to invite collaborators." + }, + { + "name": "CanCreateRepositories", + "type": "boolean", + "description": "Whether the user has permission to create repositories." + }, + { + "name": "SecurityConfigurationId", + "type": "real", + "description": "The numeric identifier of the security configuration." + }, + { + "name": "InvitationId", + "type": "real", + "description": "The numeric identifier of the invitation." + }, + { + "name": "Topic", + "type": "string", + "description": "The topic associated with the event." + }, + { + "name": "DocumentId", + "type": "string", + "description": "A unique identifier for the audit event." + }, + { + "name": "Business", + "type": "string", + "description": "The name of the GitHub Enterprise business." + }, + { + "name": "RequestCategory", + "type": "string", + "description": "The category of the request." + }, + { + "name": "OauthApplicationId", + "type": "real", + "description": "The numeric identifier of the OAuth application." + }, + { + "name": "OldRepoPermission", + "type": "string", + "description": "The previous repository permission before the change." + }, + { + "name": "NewRepoPermission", + "type": "string", + "description": "The new repository permission after the change." + }, + { + "name": "RepositoriesRemovedNames", + "type": "string", + "description": "The names of repositories that were removed." + }, + { + "name": "Active", + "type": "boolean", + "description": "Whether the resource is currently active." + }, + { + "name": "ActiveWas", + "type": "boolean", + "description": "Whether the resource was previously active." + }, + { + "name": "Data", + "type": "string", + "description": "Additional data associated with the event, serialized as a JSON string." + }, + { + "name": "Config", + "type": "string", + "description": "The current configuration associated with the event, serialized as a JSON string." + }, + { + "name": "ConfigWas", + "type": "string", + "description": "The previous configuration before the change, serialized as a JSON string." + }, + { + "name": "ContentType", + "type": "string", + "description": "The content type of the resource." + }, + { + "name": "DeployKeyFingerprint", + "type": "string", + "description": "The fingerprint of the deploy key." + }, + { + "name": "Emoji", + "type": "string", + "description": "The emoji associated with the event." + }, + { + "name": "Events", + "type": "string", + "description": "The current events configuration, serialized as a JSON string." + }, + { + "name": "EventsWere", + "type": "string", + "description": "The previous events configuration before the change, serialized as a JSON string." + }, + { + "name": "Explanation", + "type": "string", + "description": "An explanation or additional context for the event." + }, + { + "name": "Fingerprint", + "type": "string", + "description": "The fingerprint of the key or certificate." + }, + { + "name": "HookId", + "type": "real", + "description": "The numeric identifier of the webhook." + }, + { + "name": "LimitedAvailability", + "type": "boolean", + "description": "Whether the feature has limited availability." + }, + { + "name": "Message", + "type": "string", + "description": "A message associated with the event." + }, + { + "name": "Name", + "type": "string", + "description": "The name of the resource associated with the event." + }, + { + "name": "OldUser", + "type": "string", + "description": "The previous user before the change." + }, + { + "name": "OpensshPublicKey", + "type": "string", + "description": "The OpenSSH public key associated with the event." + }, + { + "name": "ReadOnly", + "type": "boolean", + "description": "Whether the resource is read-only." + }, + { + "name": "TargetLogin", + "type": "string", + "description": "The login of the target user." + }, + { + "name": "TransportProtocol", + "type": "real", + "description": "The type of protocol (for example, HTTP or SSH) used to transfer Git data." + }, + { + "name": "TransportProtocolName", + "type": "string", + "description": "A human readable name for the protocol used to transfer Git data." + }, + { + "name": "StartedAt", + "type": "datetime", + "description": "The time the workflow or job started." + }, + { + "name": "CompletedAt", + "type": "datetime", + "description": "The time the workflow or job completed." + }, + { + "name": "Conclusion", + "type": "string", + "description": "The conclusion status of the workflow run, for example success or failure." + }, + { + "name": "Event", + "type": "string", + "description": "The event that triggered the workflow." + }, + { + "name": "HeadBranch", + "type": "string", + "description": "The head branch of the workflow run." + }, + { + "name": "HeadSha", + "type": "string", + "description": "The HEAD SHA of the commit that triggered the workflow." + }, + { + "name": "RunAttempt", + "type": "real", + "description": "The attempt number of the workflow run." + }, + { + "name": "RunNumber", + "type": "real", + "description": "The run number of the workflow." + }, + { + "name": "TriggerId", + "type": "real", + "description": "The numeric identifier of the trigger." + }, + { + "name": "WorkflowId", + "type": "real", + "description": "The numeric identifier of the workflow." + }, + { + "name": "WorkflowRunId", + "type": "real", + "description": "The numeric identifier of the workflow run." + }, + { + "name": "EnvironmentName", + "type": "string", + "description": "The name of the deployment environment." + }, + { + "name": "IsHostedRunner", + "type": "boolean", + "description": "Whether the runner is a GitHub-hosted runner." + }, + { + "name": "JobName", + "type": "string", + "description": "The name of the workflow job." + }, + { + "name": "JobWorkflowRef", + "type": "string", + "description": "The reference to the reusable workflow used by the job." + }, + { + "name": "RunnerGroupId", + "type": "real", + "description": "The numeric identifier of the runner group." + }, + { + "name": "RunnerGroupName", + "type": "string", + "description": "The name of the runner group." + }, + { + "name": "RunnerId", + "type": "real", + "description": "The numeric identifier of the runner." + }, + { + "name": "RunnerLabels", + "type": "string", + "description": "The labels assigned to the runner." + }, + { + "name": "RunnerName", + "type": "string", + "description": "The name of the runner." + }, + { + "name": "SecretsPassed", + "type": "string", + "description": "The secrets passed to the workflow or job." + }, + { + "name": "HashedToken", + "type": "string", + "description": "The hashed token used for authentication." + }, + { + "name": "ProgrammaticAccessType", + "type": "string", + "description": "The type of programmatic access used." + }, + { + "name": "RequestAccessSecurityHeader", + "type": "string", + "description": "The security header of the access request." + }, + { + "name": "TokenId", + "type": "real", + "description": "The numeric identifier of the token." + }, + { + "name": "PullRequestId", + "type": "real", + "description": "The numeric identifier of the pull request." + }, + { + "name": "PullRequestTitle", + "type": "string", + "description": "The title of the pull request." + }, + { + "name": "PullRequestUrl", + "type": "string", + "description": "The URL of the pull request." + }, + { + "name": "OldRolePermissions", + "type": "string", + "description": "The previous role permissions before the change." + }, + { + "name": "RolePermissions", + "type": "string", + "description": "The current role permissions." + }, + { + "name": "RequestId", + "type": "string", + "description": "The unique identifier of the request." + }, + { + "name": "BaseRole", + "type": "string", + "description": "The base role for the organization or repository." + }, + { + "name": "CustomPattern", + "type": "string", + "description": "The custom secret scanning pattern." + }, + { + "name": "Source", + "type": "string", + "description": "The source of the event." + }, + { + "name": "ActivityType", + "type": "string", + "description": "The type of activity that was performed." + }, + { + "name": "GhsaId", + "type": "string", + "description": "The GitHub Security Advisory identifier." + }, + { + "name": "Recipient", + "type": "string", + "description": "The recipient of the action." + }, + { + "name": "RunnerOwnerType", + "type": "string", + "description": "The type of the runner owner, for example organization or enterprise." + }, + { + "name": "OrganizationRoleId", + "type": "real", + "description": "The numeric identifier of the organization role." + }, + { + "name": "OrganizationRoleName", + "type": "string", + "description": "The name of the organization role." + }, + { + "name": "Owner", + "type": "string", + "description": "The owner of the resource." + }, + { + "name": "OldTokenExpiration", + "type": "real", + "description": "The previous token expiration timestamp." + }, + { + "name": "ExemptAdministrators", + "type": "boolean", + "description": "Whether administrators are exempt from the rule." + }, + { + "name": "TokenExpiration", + "type": "real", + "description": "The token expiration timestamp." + }, + { + "name": "Policy", + "type": "string", + "description": "The policy associated with the event." + }, + { + "name": "ApplicationClientId", + "type": "string", + "description": "The client ID of the application." + }, + { + "name": "Integration", + "type": "string", + "description": "The integration associated with the event." + }, + { + "name": "RepositoriesRemoved", + "type": "string", + "description": "The repositories removed from the integration or configuration." + }, + { + "name": "RepositorySelection", + "type": "string", + "description": "The repository selection mode, for example all or selected." + }, + { + "name": "NewProjectBaseRole", + "type": "string", + "description": "The new base role for the project." + }, + { + "name": "OldProjectBaseRole", + "type": "string", + "description": "The previous base role for the project." + }, + { + "name": "ProjectId", + "type": "real", + "description": "The numeric identifier of the project." + }, + { + "name": "ProjectNumber", + "type": "real", + "description": "The project number." + }, + { + "name": "PublicProject", + "type": "boolean", + "description": "Whether the project is public." + }, + { + "name": "RulesetBypassActors", + "type": "string", + "description": "The actors that can bypass the ruleset." + }, + { + "name": "RulesetConditions", + "type": "string", + "description": "The conditions of the ruleset." + }, + { + "name": "RulesetEnforcement", + "type": "string", + "description": "The enforcement level of the ruleset." + }, + { + "name": "RulesetId", + "type": "real", + "description": "The numeric identifier of the ruleset." + }, + { + "name": "RulesetName", + "type": "string", + "description": "The name of the ruleset." + }, + { + "name": "RulesetRules", + "type": "string", + "description": "The rules defined in the ruleset." + }, + { + "name": "RulesetSourceType", + "type": "string", + "description": "The source type of the ruleset, for example organization or repository." + }, + { + "name": "RulesetRulesDeleted", + "type": "string", + "description": "The rules deleted from the ruleset." + }, + { + "name": "RulesetConditionsUpdated", + "type": "string", + "description": "The updated conditions of the ruleset." + }, + { + "name": "AdminEnforced", + "type": "boolean", + "description": "Whether the branch protection rule is enforced for administrators." + }, + { + "name": "AllowDeletionsEnforcementLevel", + "type": "real", + "description": "The enforcement level for allowing branch deletions." + }, + { + "name": "AllowForcePushesEnforcementLevel", + "type": "real", + "description": "The enforcement level for allowing force pushes." + }, + { + "name": "AuthorizedActorNames", + "type": "string", + "description": "The names of actors authorized to bypass branch protection." + }, + { + "name": "CreateProtected", + "type": "boolean", + "description": "Whether branch creation is protected." + }, + { + "name": "DismissStaleReviewsOnPush", + "type": "boolean", + "description": "Whether stale pull request reviews are dismissed on new pushes." + }, + { + "name": "EnforcementLevel", + "type": "string", + "description": "The enforcement level of the protection rule." + }, + { + "name": "IgnoreApprovalsFromContributors", + "type": "boolean", + "description": "Whether approvals from contributors are ignored." + }, + { + "name": "LinearHistoryRequirementEnforcementLevel", + "type": "real", + "description": "The enforcement level for requiring linear commit history." + }, + { + "name": "LockAllowsFetchAndMerge", + "type": "boolean", + "description": "Whether locked branches allow fetch and merge." + }, + { + "name": "LockBranchEnforcementLevel", + "type": "real", + "description": "The enforcement level for branch locking." + }, + { + "name": "MergeQueueEnforcementLevel", + "type": "real", + "description": "The enforcement level for merge queue." + }, + { + "name": "PullRequestReviewsEnforcementLevel", + "type": "real", + "description": "The enforcement level for pull request reviews." + }, + { + "name": "RequireCodeOwnerReview", + "type": "boolean", + "description": "Whether code owner review is required." + }, + { + "name": "RequireLastPushApproval", + "type": "boolean", + "description": "Whether approval from someone other than the last pusher is required." + }, + { + "name": "RequiredApprovingReviewCount", + "type": "real", + "description": "The number of required approving reviews." + }, + { + "name": "RequiredDeploymentsEnforcementLevel", + "type": "real", + "description": "The enforcement level for required deployments." + }, + { + "name": "RequiredReviewThreadResolutionEnforcementLevel", + "type": "real", + "description": "The enforcement level for required review thread resolution." + }, + { + "name": "RequiredStatusChecksEnforcementLevel", + "type": "real", + "description": "The enforcement level for required status checks." + }, + { + "name": "SignatureRequirementEnforcementLevel", + "type": "real", + "description": "The enforcement level for commit signature requirements." + }, + { + "name": "StrictRequiredStatusChecksPolicy", + "type": "boolean", + "description": "Whether strict required status checks policy is enabled." + }, + { + "name": "AllowedValues", + "type": "string", + "description": "The allowed values for a custom property." + }, + { + "name": "DefaultValue", + "type": "string", + "description": "The default value for a custom property." + }, + { + "name": "DefinitionId", + "type": "real", + "description": "The numeric identifier of the custom property definition." + }, + { + "name": "Description", + "type": "string", + "description": "The description of the resource or event." + }, + { + "name": "PropertyName", + "type": "string", + "description": "The name of the custom property." + }, + { + "name": "ValueType", + "type": "string", + "description": "The data type of the custom property value." + }, + { + "name": "ValuesEditableBy", + "type": "string", + "description": "Who can edit the custom property values." + }, + { + "name": "OldValuesEditableBy", + "type": "string", + "description": "Who could previously edit the custom property values." + }, + { + "name": "OldDefaultValue", + "type": "string", + "description": "The previous default value for a custom property." + }, + { + "name": "OldRequired", + "type": "boolean", + "description": "Whether the custom property was previously required." + }, + { + "name": "Required", + "type": "boolean", + "description": "Whether the custom property is required." + }, + { + "name": "Enablement", + "type": "string", + "description": "The enablement state of a feature or configuration." + }, + { + "name": "OwnerType", + "type": "string", + "description": "The type of the owner, for example user or organization." + }, + { + "name": "CommitId", + "type": "string", + "description": "The commit identifier associated with the event." + }, + { + "name": "RuleSuiteId", + "type": "real", + "description": "The numeric identifier of the rule suite evaluation." + }, + { + "name": "Referrer", + "type": "string", + "description": "The referrer URL or source." + }, + { + "name": "Reasons", + "type": "string", + "description": "The reasons for the action or decision." + }, + { + "name": "OverriddenCodes", + "type": "string", + "description": "The codes that were overridden." + }, + { + "name": "After", + "type": "string", + "description": "The state after the change." + }, + { + "name": "Before", + "type": "string", + "description": "The state before the change." + }, + { + "name": "Branch", + "type": "string", + "description": "The branch associated with the event." + }, + { + "name": "IssueTypeName", + "type": "string", + "description": "The name of the issue type." + }, + { + "name": "OldDescription", + "type": "string", + "description": "The previous description before the change." + }, + { + "name": "OldEnabled", + "type": "boolean", + "description": "Whether the feature was previously enabled." + }, + { + "name": "OldIssueTypeName", + "type": "string", + "description": "The previous issue type name before the change." + }, + { + "name": "NewAccess", + "type": "string", + "description": "The new access level after the change." + }, + { + "name": "OldAccess", + "type": "string", + "description": "The previous access level before the change." + }, + { + "name": "UpdatedAllowedTypes", + "type": "boolean", + "description": "Whether the allowed types were updated." + }, + { + "name": "NewPolicy", + "type": "string", + "description": "The new policy after the change." + }, + { + "name": "NewRepoRunnersPolicy", + "type": "string", + "description": "The new repository runners policy after the change." + }, + { + "name": "OldRepoRunnersPolicy", + "type": "string", + "description": "The previous repository runners policy." + }, + { + "name": "Limit", + "type": "real", + "description": "The limit value associated with the event." + }, + { + "name": "RunnerGroupRestrictedToWorkflows", + "type": "boolean", + "description": "Whether the runner group is restricted to specific workflows." + }, + { + "name": "RunnerGroupSelectedWorkflowRefs", + "type": "string", + "description": "The workflow references selected for the runner group." + }, + { + "name": "RunnerGroupAllowPublic", + "type": "boolean", + "description": "Whether the runner group allows public repositories." + }, + { + "name": "IpAllowListEntry", + "type": "string", + "description": "The IP allow list entry." + }, + { + "name": "TwoFactorMethod", + "type": "string", + "description": "The two-factor authentication method used." + }, + { + "name": "AlertNumbers", + "type": "string", + "description": "The alert numbers associated with the event." + }, + { + "name": "CommitOid", + "type": "string", + "description": "The commit object identifier (OID)." + }, + { + "name": "Ref", + "type": "string", + "description": "The Git reference associated with the event." + }, + { + "name": "DefaultForNewPrivateRepos", + "type": "boolean", + "description": "Whether the configuration is the default for new private repositories." + }, + { + "name": "DefaultForNewPublicRepos", + "type": "boolean", + "description": "Whether the configuration is the default for new public repositories." + }, + { + "name": "DomainName", + "type": "string", + "description": "The domain name associated with the event." + }, + { + "name": "Key", + "type": "string", + "description": "The key associated with the event." + }, + { + "name": "SecurityConfigurationCodeScanning", + "type": "string", + "description": "The code scanning setting of the security configuration." + }, + { + "name": "SecurityConfigurationCodeSecuritySkuEnabled", + "type": "boolean", + "description": "Whether the code security SKU is enabled in the security configuration." + }, + { + "name": "SecurityConfigurationCreatedAt", + "type": "datetime", + "description": "The creation date of the security configuration." + }, + { + "name": "SecurityConfigurationDependabotAlerts", + "type": "string", + "description": "The Dependabot alerts setting of the security configuration." + }, + { + "name": "SecurityConfigurationDependabotSecurityUpdates", + "type": "string", + "description": "The Dependabot security updates setting of the security configuration." + }, + { + "name": "SecurityConfigurationDependencyGraph", + "type": "string", + "description": "The dependency graph setting of the security configuration." + }, + { + "name": "SecurityConfigurationDependencyGraphAutosubmitAction", + "type": "string", + "description": "The dependency graph autosubmit action setting of the security configuration." + }, + { + "name": "SecurityConfigurationDescription", + "type": "string", + "description": "The description of the security configuration." + }, + { + "name": "SecurityConfigurationEnableGhas", + "type": "boolean", + "description": "Whether GitHub Advanced Security is enabled in the security configuration." + }, + { + "name": "SecurityConfigurationPrivateVulnerabilityReporting", + "type": "string", + "description": "The private vulnerability reporting setting of the security configuration." + }, + { + "name": "SecurityConfigurationSecretProtectionSkuEnabled", + "type": "boolean", + "description": "Whether the secret protection SKU is enabled in the security configuration." + }, + { + "name": "SecurityConfigurationSecretScanning", + "type": "string", + "description": "The secret scanning setting of the security configuration." + }, + { + "name": "SecurityConfigurationSecretScanningDelegatedBypass", + "type": "string", + "description": "The secret scanning delegated bypass setting of the security configuration." + }, + { + "name": "SecurityConfigurationSecretScanningGenericSecrets", + "type": "string", + "description": "The secret scanning generic secrets setting of the security configuration." + }, + { + "name": "SecurityConfigurationSecretScanningNonProviderPatterns", + "type": "string", + "description": "The secret scanning non-provider patterns setting of the security configuration." + }, + { + "name": "SecurityConfigurationSecretScanningPushProtection", + "type": "string", + "description": "The secret scanning push protection setting of the security configuration." + }, + { + "name": "SecurityConfigurationSecretScanningValidityChecks", + "type": "string", + "description": "The secret scanning validity checks setting of the security configuration." + }, + { + "name": "SecurityConfigurationUpdatedAt", + "type": "datetime", + "description": "The last update date of the security configuration." + }, + { + "name": "ThreatModel", + "type": "string", + "description": "The threat model associated with the event." + }, + { + "name": "QuerySuite", + "type": "string", + "description": "The code scanning query suite." + }, + { + "name": "VulnerabilityAlertRuleActionsAlertActionsAutoDismiss", + "type": "string", + "description": "The auto-dismiss setting for vulnerability alert rule actions." + }, + { + "name": "VulnerabilityAlertRuleActionsVersion", + "type": "real", + "description": "The version of the vulnerability alert rule actions." + }, + { + "name": "VulnerabilityAlertRuleConditionsCwe", + "type": "string", + "description": "The CWE conditions for the vulnerability alert rule." + }, + { + "name": "VulnerabilityAlertRuleConditionsEcosystem", + "type": "string", + "description": "The ecosystem conditions for the vulnerability alert rule." + }, + { + "name": "VulnerabilityAlertRuleConditionsScope", + "type": "string", + "description": "The scope conditions for the vulnerability alert rule." + }, + { + "name": "VulnerabilityAlertRuleId", + "type": "real", + "description": "The numeric identifier of the vulnerability alert rule." + }, + { + "name": "VulnerabilityAlertRuleName", + "type": "string", + "description": "The name of the vulnerability alert rule." + }, + { + "name": "DismissalApproverId", + "type": "real", + "description": "The numeric identifier of the user who approved the dismissal." + }, + { + "name": "SsoUrl", + "type": "string", + "description": "The single sign-on URL." + }, + { + "name": "Issuer", + "type": "string", + "description": "The issuer of the SSO or SAML identity." + }, + { + "name": "ExternalIdentityUsername", + "type": "string", + "description": "The username of the external identity." + }, + { + "name": "ExternalIdentityNameid", + "type": "string", + "description": "The NameID of the external identity." + }, + { + "name": "AuditLogStreamResult", + "type": "string", + "description": "The result of the audit log stream operation." + }, + { + "name": "AuditLogStreamSinkDetails", + "type": "string", + "description": "The details of the audit log stream sink." + }, + { + "name": "AuditLogStreamId", + "type": "real", + "description": "The numeric identifier of the audit log stream." + }, + { + "name": "AuditLogStreamSink", + "type": "string", + "description": "The sink type of the audit log stream." + }, + { + "name": "Repository", + "type": "string", + "description": "The name of the repository associated with the event." + }, + { + "name": "RepositoryId", + "type": "real", + "description": "The numeric identifier of the repository." + }, + { + "name": "TokenScopes", + "type": "string", + "description": "The scopes associated with the token used for authentication." + }, + { + "name": "RequestMethod", + "type": "string", + "description": "The HTTP request method, for example GET or POST." + }, + { + "name": "QueryString", + "type": "string", + "description": "The query string from the HTTP request URL." + }, + { + "name": "RequestBody", + "type": "string", + "description": "The body of the HTTP request." + }, + { + "name": "StatusCode", + "type": "real", + "description": "The HTTP response status code." + }, + { + "name": "UrlPath", + "type": "string", + "description": "The URL path of the HTTP request." + }, + { + "name": "Route", + "type": "string", + "description": "The API route associated with the event." + }, + { + "name": "RateLimitRemaining", + "type": "real", + "description": "The number of API rate limit requests remaining." } ] - }, - "dataFlows": [ - { - "streams": [ - "Custom-GitHubAuditLogs" - ], - "destinations": [ - "clv2ws1" - ], - "outputStream": "Custom-GitHubAuditLogsV2_CL", - "transformKql": "source | extend actor_locationDynamic = parse_json(actor_location) | extend CountryCode = tostring(actor_locationDynamic['country_code']) | extend TimestampLong = tolong(['@timestamp']) | extend TimeGenerated = datetime(1970-01-01) + (TimestampLong * 1ms) | project TimeGenerated, CreatedAt = created_at, Org = org, Action = action, Repo = repo, Actor = actor, CountryCode, User = user, Permission = permission, Visibility = visibility, PreviousVisibility = previous_visibility, OldPermission = old_permission, Team = team, BlockedUser = blocked_user, OperationType = operation_type, PublicRepo = repository_public, OrgId = org_id, InviteeEmail = invitee_email, ActorIp = actor_ip, ActorId = actor_id, ActorIsBot = actor_is_bot, BusinessId = business_id, RepoId = repo_id, UserAgent = user_agent, UserId = user_id, Email = email, RepositorySecurityConfigurationFailureReason = repository_security_configuration_failure_reason, RepositorySecurityConfigurationState = repository_security_configuration_state, OauthApplication = oauth_application, OauthApplicationUrl = oauth_application_url, OauthApplicationState = oauth_application_state, Reason = reason, MembershipType = membership_type, UserCanInviteCollaborators = user_can_invite_collaborators, CanCreateRepositories = can_create_repositories, SecurityConfigurationId = security_configuration_id, InvitationId = invitation_id, Topic = topic, DocumentId = _document_id, Business = business, RequestCategory = request_category, OauthApplicationId = oauth_application_id, OldRepoPermission = old_repo_permission, NewRepoPermission = new_repo_permission, RepositoriesRemovedNames = repositories_removed_names, Active = active, ActiveWas = active_was, Data = tostring(data), Config = tostring(config), ConfigWas = tostring(config_was), ContentType = content_type, DeployKeyFingerprint = deploy_key_fingerprint, Emoji = emoji, Events = tostring(events), EventsWere = tostring(events_were), Explanation = explanation, Fingerprint = fingerprint, HookId = hook_id, LimitedAvailability = limited_availability, Message = message, Name = name, OldUser = old_user, OpensshPublicKey = openssh_public_key, ReadOnly = read_only, TargetLogin = target_login, TransportProtocol = transport_protocol, TransportProtocolName = transport_protocol_name, StartedAt = started_at, CompletedAt = completed_at, Conclusion = conclusion, Event = event, HeadBranch = head_branch, HeadSha = head_sha, RunAttempt = run_attempt, RunNumber = run_number, TriggerId = trigger_id, WorkflowId = workflow_id, WorkflowRunId = workflow_run_id, EnvironmentName = environment_name, IsHostedRunner = is_hosted_runner, JobName = job_name, JobWorkflowRef = job_workflow_ref, RunnerGroupId = runner_group_id, RunnerGroupName = runner_group_name, RunnerId = runner_id, RunnerLabels = runner_labels, RunnerName = runner_name, SecretsPassed = secrets_passed, HashedToken = hashed_token, ProgrammaticAccessType = programmatic_access_type, RequestAccessSecurityHeader = request_access_security_header, TokenId = token_id, PullRequestId = pull_request_id, PullRequestTitle = pull_request_title, PullRequestUrl = pull_request_url, OldRolePermissions = old_role_permissions, RolePermissions = role_permissions, RequestId = request_id, BaseRole = base_role, CustomPattern = custom_pattern, Source = source, ActivityType = type, GhsaId = ghsa_id, Recipient = recipient, RunnerOwnerType = runner_owner_type, OrganizationRoleId = organization_role_id, OrganizationRoleName = organization_role_name, Owner = owner, OldTokenExpiration = old_token_expiration, ExemptAdministrators = exempt_administrators, TokenExpiration = token_expiration, Policy = policy, ApplicationClientId = application_client_id, Integration = integration, RepositoriesRemoved = repositories_removed, RepositorySelection = repository_selection, NewProjectBaseRole = new_project_base_role, OldProjectBaseRole = old_project_base_role, ProjectId = project_id, ProjectNumber = project_number, PublicProject = public_project, RulesetBypassActors = ruleset_bypass_actors, RulesetConditions = ruleset_conditions, RulesetEnforcement = ruleset_enforcement, RulesetId = ruleset_id, RulesetName = ruleset_name, RulesetRules = ruleset_rules, RulesetSourceType = ruleset_source_type, RulesetRulesDeleted = ruleset_rules_deleted, RulesetConditionsUpdated = ruleset_conditions_updated, AdminEnforced = admin_enforced, AllowDeletionsEnforcementLevel = allow_deletions_enforcement_level, AllowForcePushesEnforcementLevel = allow_force_pushes_enforcement_level, AuthorizedActorNames = authorized_actor_names, CreateProtected = create_protected, DismissStaleReviewsOnPush = dismiss_stale_reviews_on_push, EnforcementLevel = enforcement_level, IgnoreApprovalsFromContributors = ignore_approvals_from_contributors, LinearHistoryRequirementEnforcementLevel = linear_history_requirement_enforcement_level, LockAllowsFetchAndMerge = lock_allows_fetch_and_merge, LockBranchEnforcementLevel = lock_branch_enforcement_level, MergeQueueEnforcementLevel = merge_queue_enforcement_level, PullRequestReviewsEnforcementLevel = pull_request_reviews_enforcement_level, RequireCodeOwnerReview = require_code_owner_review, RequireLastPushApproval = require_last_push_approval, RequiredApprovingReviewCount = required_approving_review_count, RequiredDeploymentsEnforcementLevel = required_deployments_enforcement_level, RequiredReviewThreadResolutionEnforcementLevel = required_review_thread_resolution_enforcement_level, RequiredStatusChecksEnforcementLevel = required_status_checks_enforcement_level, SignatureRequirementEnforcementLevel = signature_requirement_enforcement_level, StrictRequiredStatusChecksPolicy = strict_required_status_checks_policy, AllowedValues = allowed_values, DefaultValue = default_value, DefinitionId = definition_id, Description = description, PropertyName = property_name, ValueType = value_type, ValuesEditableBy = values_editable_by, OldValuesEditableBy = old_values_editable_by, OldDefaultValue = old_default_value, OldRequired = old_required, Required = required, Enablement = enablement, OwnerType = owner_type, CommitId = commit_id, RuleSuiteId = rule_suite_id, Referrer = referrer, Reasons = reasons, OverriddenCodes = overridden_codes, After = after, Before = before, Branch = branch, IssueTypeName = issue_type_name, OldDescription = old_description, OldEnabled = old_enabled, OldIssueTypeName = old_issue_type_name, NewAccess = new_access, OldAccess = old_access, UpdatedAllowedTypes = updated_allowed_types, NewPolicy = new_policy, NewRepoRunnersPolicy = new_repo_runners_policy, OldRepoRunnersPolicy = old_repo_runners_policy, Limit = ['limit'], RunnerGroupRestrictedToWorkflows = runner_group_restricted_to_workflows, RunnerGroupSelectedWorkflowRefs = runner_group_selected_workflow_refs, RunnerGroupAllowPublic = runner_group_allow_public, IpAllowListEntry = ip_allow_list_entry, TwoFactorMethod = two_factor_method, AlertNumbers = alert_numbers, CommitOid = commit_oid, Ref = ref, DefaultForNewPrivateRepos = default_for_new_private_repos, DefaultForNewPublicRepos = default_for_new_public_repos, DomainName = domain_name, Key = key, SecurityConfigurationCodeScanning = security_configuration_code_scanning, SecurityConfigurationCodeSecuritySkuEnabled = security_configuration_code_security_sku_enabled, SecurityConfigurationCreatedAt = security_configuration_created_at, SecurityConfigurationDependabotAlerts = security_configuration_dependabot_alerts, SecurityConfigurationDependabotSecurityUpdates = security_configuration_dependabot_security_updates, SecurityConfigurationDependencyGraph = security_configuration_dependency_graph, SecurityConfigurationDependencyGraphAutosubmitAction = security_configuration_dependency_graph_autosubmit_action, SecurityConfigurationDescription = security_configuration_description, SecurityConfigurationEnableGhas = security_configuration_enable_ghas, SecurityConfigurationName = security_configuration_name, SecurityConfigurationPrivateVulnerabilityReporting = security_configuration_private_vulnerability_reporting, SecurityConfigurationSecretProtectionSkuEnabled = security_configuration_secret_protection_sku_enabled, SecurityConfigurationSecretScanning = security_configuration_secret_scanning, SecurityConfigurationSecretScanningDelegatedBypass = security_configuration_secret_scanning_delegated_bypass, SecurityConfigurationSecretScanningGenericSecrets = security_configuration_secret_scanning_generic_secrets, SecurityConfigurationSecretScanningNonProviderPatterns = security_configuration_secret_scanning_non_provider_patterns, SecurityConfigurationSecretScanningPushProtection = security_configuration_secret_scanning_push_protection, SecurityConfigurationSecretScanningValidityChecks = security_configuration_secret_scanning_validity_checks, SecurityConfigurationUpdatedAt = security_configuration_updated_at, ThreatModel = threat_model, QuerySuite = query_suite, VulnerabilityAlertRuleActionsAlertActionsAutoDismiss = vulnerability_alert_rule_actions_alert_actions_auto_dismiss, VulnerabilityAlertRuleActionsVersion = vulnerability_alert_rule_actions_version, VulnerabilityAlertRuleConditionsCwe = vulnerability_alert_rule_conditions_cwe, VulnerabilityAlertRuleConditionsEcosystem = vulnerability_alert_rule_conditions_ecosystem, VulnerabilityAlertRuleConditionsScope = vulnerability_alert_rule_conditions_scope, VulnerabilityAlertRuleId = vulnerability_alert_rule_id, VulnerabilityAlertRuleName = vulnerability_alert_rule_name, DismissalApproverId = dismissal_approver_id, SsoUrl = sso_url, Issuer = issuer, ExternalIdentityUsername = external_identity_username, ExternalIdentityNameid = external_identity_nameid, AuditLogStreamResult = audit_log_stream_result, AuditLogStreamSinkDetails = audit_log_stream_sink_details, AuditLogStreamId = audit_log_stream_id, AuditLogStreamSink = audit_log_stream_sink" - } - ] + } } }, { @@ -5674,19 +6921,19 @@ { "metricName": "Total events received", "legend": "GitHubAuditLogEvents", - "baseQuery": "GitHubAuditLogsV2_CL" + "baseQuery": "GitHubAuditLogsV3_CL" } ], "sampleQueries": [ { "description": "GitHub Audit Logs", - "query": "GitHubAuditLogsV2_CL | take 10" + "query": "GitHubAuditLogsV3_CL | take 10" } ], "dataTypes": [ { - "name": "GitHubAuditLogsV2_CL", - "lastDataReceivedQuery": "GitHubAuditLogsV2_CL | summarize Time = max(TimeGenerated) | where isnotempty(Time)" + "name": "GitHubAuditLogsV3_CL", + "lastDataReceivedQuery": "GitHubAuditLogsV3_CL | summarize Time = max(TimeGenerated) | where isnotempty(Time)" } ], "connectivityCriteria": [ @@ -5756,7 +7003,7 @@ "type": "Textbox", "parameters": { "label": "The blob container URL you want to collect data from", - "placeholder": "", + "placeholder": "Enter blob container URL", "type": "text", "name": "blobContainerUri" } @@ -5765,7 +7012,7 @@ "type": "Textbox", "parameters": { "label": "The blob folder name in the container. Optional.", - "placeholder": "", + "placeholder": "optional-folder-name", "type": "text", "name": "blobFolderName" } @@ -5792,7 +7039,7 @@ "type": "Textbox", "parameters": { "label": "The blob container's storage account subscription id", - "placeholder": "", + "placeholder": "00000000-0000-0000-0000-000000000000", "type": "text", "name": "StorageAccountSubscription" } @@ -5801,7 +7048,7 @@ "type": "Textbox", "parameters": { "label": "The Event Grid system topic name for the storage account, if one exists; otherwise, leave empty.", - "placeholder": "", + "placeholder": "eg-system-topic-name", "type": "text", "name": "EGSystemTopicName", "description": "The data flow uses Event Grid to send blob-created event notifications. There can be only one Event Grid system topic per storage account.\nNavigate to your storage account and check the **Events** section. If a topic already exists, provide its name. Otherwise, leave this field empty." @@ -5819,18 +7066,15 @@ }, { "title": "Blob Lifecycle Policy (Recommended)", - "description": "To prevent unbounded storage growth, configure a [lifecycle management policy](https://learn.microsoft.com/en-us/azure/storage/blobs/lifecycle-management-overview) on your storage account to automatically delete blobs after a retention period (for example, 7 days). Once the connector ingests the audit logs into Microsoft Sentinel, the source blobs are no longer needed.\n\nTo create a lifecycle rule scoped to your container:\n1. Navigate to your **Storage Account** -> **Data management** -> **Lifecycle management**.\n2. Click **Add a rule** and configure:\n - **Rule name:** for example, `github-audit-cleanup`\n - **Rule scope:** Select **Limit blobs with filters** and set the **Prefix match** to your container name (for example, `my-container/`). This ensures the rule applies only to blobs in that container.\n - **Blob type:** Block blobs.\n - **Base blobs:** Delete blobs that were last modified more than **7 days** ago (adjust as needed).\n3. Save the rule.\n\n> **Note:** Each storage account has a single management policy that can contain multiple rules. Each rule can target a specific container via prefix filters. If you already have a lifecycle policy, add a new rule to the existing policy rather than creating a new one.", - "instructions": [] + "description": "To prevent unbounded storage growth, configure a [lifecycle management policy](https://learn.microsoft.com/en-us/azure/storage/blobs/lifecycle-management-overview) on your storage account to automatically delete blobs after a retention period (for example, 7 days). Once the connector ingests the audit logs into Microsoft Sentinel, the source blobs are no longer needed.\n\nTo create a lifecycle rule scoped to your container:\n1. Navigate to your **Storage Account** -> **Data management** -> **Lifecycle management**.\n2. Click **Add a rule** and configure:\n - **Rule name:** for example, `github-audit-cleanup`\n - **Rule scope:** Select **Limit blobs with filters** and set the **Prefix match** to your container name (for example, `my-container/`). This ensures the rule applies only to blobs in that container.\n - **Blob type:** Block blobs.\n - **Base blobs:** Delete blobs that were last modified more than **7 days** ago (adjust as needed).\n3. Save the rule.\n\n> **Note:** Each storage account has a single management policy that can contain multiple rules. Each rule can target a specific container via prefix filters. If you already have a lifecycle policy, add a new rule to the existing policy rather than creating a new one." }, { "title": "Reference", - "description": "For detailed instructions on setting up the Azure Storage connector to stream logs to Microsoft Sentinel, see [Set up Azure Storage connector](https://learn.microsoft.com/en-us/azure/sentinel/setup-azure-storage-connector).", - "instructions": [] + "description": "For detailed instructions on setting up the Azure Storage connector to stream logs to Microsoft Sentinel, see [Set up Azure Storage connector](https://learn.microsoft.com/en-us/azure/sentinel/setup-azure-storage-connector)." }, { "title": "Troubleshooting", - "description": "If you encounter issues with data ingestion:\n- **Enable the health feature** - If the connector health feature isn't enabled, enable it to monitor connector status and detect issues early.\n- **Enable diagnostic logs** - Consider enabling diagnostic logs for both the **Storage Account** and **Event Grid** resources to help identify and troubleshoot health issues.\n- For more details, see [Troubleshoot Azure Storage Blob connector issues](https://review.learn.microsoft.com/en-us/azure/sentinel/azure-storage-blob-connector-troubleshoot?branch=main).", - "instructions": [] + "description": "If you encounter issues with data ingestion:\n- **Enable the health feature** - If the connector health feature isn't enabled, enable it to monitor connector status and detect issues early.\n- **Enable diagnostic logs** - Consider enabling diagnostic logs for both the **Storage Account** and **Event Grid** resources to help identify and troubleshoot health issues.\n- For more details, see [Troubleshoot Azure Storage Blob connector issues](https://review.learn.microsoft.com/en-us/azure/sentinel/azure-storage-blob-connector-troubleshoot?branch=main)." } ] } @@ -6044,18 +7288,18 @@ "[[format('Microsoft.EventGrid/systemTopics/{0}', variables('EGSystemTopicName'))]" ], "properties": { + "filter": { + "includedEventTypes": [ + "Microsoft.Storage.BlobCreated" + ], + "subjectBeginsWith": "[[format('{0}/{1}', '/blobServices/default/containers', variables('blobContainerName'))]" + }, "destination": { "endpointType": "StorageQueue", "properties": { "queueName": "[[variables('queueName')]", "resourceId": "[[variables('storageAccountId')]" } - }, - "filter": { - "includedEventTypes": [ - "Microsoft.Storage.BlobCreated" - ], - "subjectBeginsWith": "[[format('{0}/{1}', '/blobServices/default/containers', variables('blobContainerName'))]" } } }, @@ -6120,7 +7364,7 @@ "isGzipCompressed": true }, "connectorDefinitionName": "GitHubAuditBlobConnector", - "dataType": "GitHubAuditLogsV2_CL", + "dataType": "GitHubAuditLogsV3_CL", "dcrConfig": { "streamName": "Custom-GitHubAuditLogs", "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]", @@ -8558,7 +9802,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "GitHub data connector with template version 3.3.1", + "description": "GitHub data connector with template version 3.4.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('dataConnectorVersion3')]", @@ -8903,7 +10147,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "GitHub data connector with template version 3.3.1", + "description": "GitHub data connector with template version 3.4.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('dataConnectorVersion4')]", @@ -9342,7 +10586,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "GitHub data connector with template version 3.3.1", + "description": "GitHub data connector with template version 3.4.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('dataConnectorVersion5')]", @@ -9651,7 +10895,7 @@ ], "availability": { "status": 1, - "isPreview": true + "isPreview": false }, "permissions": { "resourceProvider": [ @@ -9783,7 +11027,7 @@ "apiVersion": "2023-04-01-preview", "location": "[parameters('workspace-location')]", "properties": { - "version": "3.3.1", + "version": "3.4.0", "kind": "Solution", "contentSchemaVersion": "3.0.0", "displayName": "GitHub", diff --git a/Solutions/GitHub/Parsers/GitHubAuditData.yaml b/Solutions/GitHub/Parsers/GitHubAuditData.yaml index bce237a8d32..fd4cca56312 100644 --- a/Solutions/GitHub/Parsers/GitHubAuditData.yaml +++ b/Solutions/GitHub/Parsers/GitHubAuditData.yaml @@ -1,8 +1,8 @@ id: 32d7c900-875f-43d6-9e48-987fd5df3762 Function: Title: Parser for GitHubAuditData - Version: '1.0.0' - LastUpdated: '2023-08-23' + Version: '1.1.0' + LastUpdated: '2026-06-26' Category: Microsoft Sentinel Parser FunctionName: GitHubAuditData FunctionAlias: GitHubAuditData @@ -43,7 +43,25 @@ FunctionQuery: | TeamName=column_ifexists('Team', ''), BlockedUser=column_ifexists('BlockedUser', '') }; - union isfuzzy=true (GitHubAuditLogPolling_view), (GitHubAuditLogsV2_view) + let GitHubAuditLogsV3_view = view () { + GitHubAuditLogsV3_CL + | extend + TimeGenerated=unixtime_milliseconds_todatetime(CreatedAt), + Organization=column_ifexists('Org', ''), + Action=column_ifexists('Action', ''), + Repository=column_ifexists('Repo', ''), + Actor=column_ifexists('Actor', ''), + Country=column_ifexists('CountryCode', ''), + ImpactedUser=column_ifexists('User', ''), + InvitedUserPermission=column_ifexists('Permission', ''), + Visibility=column_ifexists('Visibility', ''), + PreviousVisibility=column_ifexists('PreviousVisibility', ''), + CurrentPermission=column_ifexists('Permission', ''), + PreviousPermission=column_ifexists('OldPermission', ''), + TeamName=column_ifexists('Team', ''), + BlockedUser=column_ifexists('BlockedUser', '') + }; + union isfuzzy=true (GitHubAuditLogPolling_view), (GitHubAuditLogsV2_view), (GitHubAuditLogsV3_view) | project TimeGenerated, Organization, diff --git a/Solutions/GitHub/ReleaseNotes.md b/Solutions/GitHub/ReleaseNotes.md index 285daaedcb3..914d6be508e 100644 --- a/Solutions/GitHub/ReleaseNotes.md +++ b/Solutions/GitHub/ReleaseNotes.md @@ -1,5 +1,6 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|--------------------------------------------------------------------------| +| 3.4.0 | 25-06-2026 | Added all api.request fields and created V3 table for AzStorage connector | | 3.3.1 | 17-06-2026 | Added SAS related instruction. | | 3.3.0 | 04-06-2026 | Introducing a new Azure Storage CCF GitHub Audit Log Connector for Public Preview. | | 3.2.1 | 04-05-2026 | Migrated Parsers and Workbooks to `githubscanaudit` CLv1 & CLv2 union alias. | diff --git a/Solutions/GitHub/data/Solution_GitHub.json b/Solutions/GitHub/data/Solution_GitHub.json index 0b265ff67a3..e3e12b88b7a 100644 --- a/Solutions/GitHub/data/Solution_GitHub.json +++ b/Solutions/GitHub/data/Solution_GitHub.json @@ -49,7 +49,7 @@ ], "Metadata": "SolutionMetadata.json", "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\GitHub", - "Version": "3.3.1", + "Version": "3.4.0", "TemplateSpec": true, "Is1PConnector": false }