Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -14,19 +14,19 @@
{
"metricName": "Total events received",
"legend": "GitHubAuditLogEvents",
"baseQuery": "GitHubAuditLogsV2_CL"
"baseQuery": "GitHubAuditLogsV3_CL"
}
],
"sampleQueries": [
{
"description": "GitHub Audit Logs",
"query": "GitHubAuditLogsV2_CL | take 10"
"query": "GitHubAuditLogsV3_CL | take 10"
}
],
"dataTypes": [
{
"name": "GitHubAuditLogsV2_CL",
"lastDataReceivedQuery": "GitHubAuditLogsV2_CL | summarize Time = max(TimeGenerated) | where isnotempty(Time)"
"name": "GitHubAuditLogsV3_CL",
"lastDataReceivedQuery": "GitHubAuditLogsV3_CL | summarize Time = max(TimeGenerated) | where isnotempty(Time)"
}
],
"connectivityCriteria": [
Expand Down Expand Up @@ -123,7 +123,7 @@
"type": "Textbox",
"parameters": {
"label": "The blob container's storage account resource group name",
"placeholder": "my-resource-group",
"placeholder": "",
"type": "text",
"name": "StorageAccountResourceGroupName"
}
Expand Down Expand Up @@ -159,18 +159,15 @@
},
{
"title": "Blob Lifecycle Policy (Recommended)",
"description": "To prevent unbounded storage growth, configure a [lifecycle management policy](https://learn.microsoft.com/en-us/azure/storage/blobs/lifecycle-management-overview) on your storage account to automatically delete blobs after a retention period (for example, 7 days). Once the connector ingests the audit logs into Microsoft Sentinel, the source blobs are no longer needed.\n\nTo create a lifecycle rule scoped to your container:\n1. Navigate to your **Storage Account** -> **Data management** -> **Lifecycle management**.\n2. Click **Add a rule** and configure:\n - **Rule name:** for example, `github-audit-cleanup`\n - **Rule scope:** Select **Limit blobs with filters** and set the **Prefix match** to your container name (for example, `my-container/`). This ensures the rule applies only to blobs in that container.\n - **Blob type:** Block blobs.\n - **Base blobs:** Delete blobs that were last modified more than **7 days** ago (adjust as needed).\n3. Save the rule.\n\n> **Note:** Each storage account has a single management policy that can contain multiple rules. Each rule can target a specific container via prefix filters. If you already have a lifecycle policy, add a new rule to the existing policy rather than creating a new one.",
"instructions": []
"description": "To prevent unbounded storage growth, configure a [lifecycle management policy](https://learn.microsoft.com/en-us/azure/storage/blobs/lifecycle-management-overview) on your storage account to automatically delete blobs after a retention period (for example, 7 days). Once the connector ingests the audit logs into Microsoft Sentinel, the source blobs are no longer needed.\n\nTo create a lifecycle rule scoped to your container:\n1. Navigate to your **Storage Account** -> **Data management** -> **Lifecycle management**.\n2. Click **Add a rule** and configure:\n - **Rule name:** for example, `github-audit-cleanup`\n - **Rule scope:** Select **Limit blobs with filters** and set the **Prefix match** to your container name (for example, `my-container/`). This ensures the rule applies only to blobs in that container.\n - **Blob type:** Block blobs.\n - **Base blobs:** Delete blobs that were last modified more than **7 days** ago (adjust as needed).\n3. Save the rule.\n\n> **Note:** Each storage account has a single management policy that can contain multiple rules. Each rule can target a specific container via prefix filters. If you already have a lifecycle policy, add a new rule to the existing policy rather than creating a new one."
},
{
"title": "Reference",
"description": "For detailed instructions on setting up the Azure Storage connector to stream logs to Microsoft Sentinel, see [Set up Azure Storage connector](https://learn.microsoft.com/en-us/azure/sentinel/setup-azure-storage-connector).",
"instructions": []
"description": "For detailed instructions on setting up the Azure Storage connector to stream logs to Microsoft Sentinel, see [Set up Azure Storage connector](https://learn.microsoft.com/en-us/azure/sentinel/setup-azure-storage-connector)."
},
{
"title": "Troubleshooting",
"description": "If you encounter issues with data ingestion:\n- **Enable the health feature** - If the connector health feature isn't enabled, enable it to monitor connector status and detect issues early.\n- **Enable diagnostic logs** - Consider enabling diagnostic logs for both the **Storage Account** and **Event Grid** resources to help identify and troubleshoot health issues.\n- For more details, see [Troubleshoot Azure Storage Blob connector issues](https://review.learn.microsoft.com/en-us/azure/sentinel/azure-storage-blob-connector-troubleshoot?branch=main).",
"instructions": []
"description": "If you encounter issues with data ingestion:\n- **Enable the health feature** - If the connector health feature isn't enabled, enable it to monitor connector status and detect issues early.\n- **Enable diagnostic logs** - Consider enabling diagnostic logs for both the **Storage Account** and **Event Grid** resources to help identify and troubleshoot health issues.\n- For more details, see [Troubleshoot Azure Storage Blob connector issues](https://review.learn.microsoft.com/en-us/azure/sentinel/azure-storage-blob-connector-troubleshoot?branch=main)."
}
]
}
Expand Down

Large diffs are not rendered by default.

Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@
"isGzipCompressed": true
},
"connectorDefinitionName": "GitHubAuditBlobConnector",
"dataType": "GitHubAuditLogsV2_CL",
"dataType": "GitHubAuditLogsV3_CL",
"dcrConfig": {
"streamName": "Custom-GitHubAuditLogs",
"dataCollectionEndpoint": "{{dataCollectionEndpoint}}",
Comment thread
fuqing04 marked this conversation as resolved.
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -1172,4 +1172,4 @@
]
}
}
}
}
Loading
Loading