[integrations][GitHub] - Addressed some missing documentation issues …

…and fixed timestamp value in sample logs (#11932)
elastic · Nov 30, 2024 · e6b0654 · e6b0654
1 parent ff5f45f
commit e6b0654
Show file tree

Hide file tree

Showing 7 changed files with 105 additions and 72 deletions.
diff --git a/packages/github/_dev/build/docs/README.md b/packages/github/_dev/build/docs/README.md
@@ -9,10 +9,24 @@ The GitHub integration collects events from the [GitHub API](https://docs.github
 The GitHub audit log records all events related to the GitHub organization/enterprise. See [Organization audit log actions](https://docs.github.com/en/organizations/keeping-your-organization-secure/reviewing-the-audit-log-for-your-organization#audit-log-actions) and [Enterprise audit log actions](https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/about-the-audit-log-for-your-enterprise) for more details.
 
 To use this integration, the following prerequisites must be met:
- - You must be an organization owner.
- - You must be using GitHub Enterprise Cloud.
- - You must use a Personal Access Token with `read:audit_log` scope.
 
+For GitHub Enterprise Cloud:
+  - You must be an enterprise owner.
+  - Your enterprise account must be on a GitHub Enterprise Cloud plan that includes audit log access.
+
+For GitHub Enterprise Server:
+  - You need to be a site administrator to access the audit log for the entire instance.
+  - The audit log is part of the server deployment. Ensure audit logging is enabled in the server configuration.
+
+For Organizations:
+  - You must be an organization owner.
+  - You must be using GitHub Enterprise Cloud.
+  - The organization must be part of an enterprise plan that includes audit log functionality.
+
+Required scopes:
+ - You must use a Personal Access Token with `read:audit_log` scope. This applies to both organization and enterprise admins.
+ - If you're an enterprise admin, ensure your token also includes `admin:enterprise` to access enterprise-wide logs.
+
 *This integration is not compatible with GitHub Enterprise server.*
 
 {{fields "audit"}}

diff --git a/packages/github/changelog.yml b/packages/github/changelog.yml
@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "2.1.1"
+  changes:
+    - description: Addressed some missing documentation issues and fixed timestamp values in sample enterprise audit logs.
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/11932
 - version: "2.1.0"
   changes:
     - description: Added support for enterprise audit logs in the audit data stream.

diff --git a/packages/github/data_stream/audit/_dev/test/pipeline/test-enterprise-audit-json.log b/packages/github/data_stream/audit/_dev/test/pipeline/test-enterprise-audit-json.log
@@ -1,21 +1,21 @@
-{"@timestamp": 1698579600, "action": "user.login", "active": true, "actor": "john_doe", "actor_id": 12345, "actor_location": {"country_name": "USA", "ip": "192.168.1.1"}, "org_id": 67890, "org": "tech-corp", "user_id": 12345, "business_id": 56789, "business": "tech-enterprise", "message": "User logged in successfully.", "name": "John Doe", "device": "laptop", "login_method": "password"}
-{"@timestamp": 1698579660, "action": "user.logout", "active": false, "actor": "jane_doe", "actor_id": 23456, "actor_location": {"country_name": "UK", "ip": "192.168.2.1"}, "org_id": 67890, "org": "tech-corp", "user_id": 23456, "business_id": 56789, "business": "tech-enterprise", "message": "User logged out.", "name": "Jane Doe", "device": "mobile", "logout_reason": "user_initiated"}
-{"@timestamp": 1698579720, "action": "repo.create", "active": true, "actor": "alice_dev", "actor_id": 34567, "actor_location": {"country_name": "Canada", "ip": "10.0.0.1"}, "org_id": 98765, "org": "dev-group", "repository": "project-alpha", "repository_public": true, "business": "repo-services", "team": "frontend", "message": "Repository created."}
-{"@timestamp": 1698579780, "action": "repo.delete", "active": false, "actor": "bob_admin", "actor_id": 45678, "actor_location": {"country_name": "Germany", "ip": "10.0.0.2"}, "org_id": 56789, "org": "admin-hub", "repository": "legacy-project", "repository_public": false, "business": "admin-inc", "message": "Repository deleted due to inactivity."}
-{"@timestamp": 1698579840, "action": "repo.fork", "active": true, "actor": "charlie_dev", "actor_id": 56789, "actor_location": {"country_name": "Australia", "ip": "192.168.3.1"}, "org_id": 12345, "org": "fork-team", "repository": "open-source-tool", "forked_repository": "charlie-tool", "repository_public": true, "business": "opensource-labs", "message": "Repository forked successfully."}
-{"@timestamp": 1698579900, "action": "team.create", "active": true, "actor": "team_manager", "actor_id": 67890, "actor_location": {"country_name": "India", "ip": "172.16.0.1"}, "org_id": 23456, "org": "team-org", "team": "backend-devs", "business": "teamworks", "message": "Team created successfully."}
-{"@timestamp": 1698579960, "action": "team.delete", "active": false, "actor": "org_admin", "actor_id": 78901, "actor_location": {"country_name": "Spain", "ip": "172.16.0.2"}, "org_id": 23456, "org": "team-org", "team": "qa-team", "business": "teamworks", "message": "Team deleted due to reorganization."}
-{"@timestamp": 1698580020, "action": "user.create", "active": true, "actor": "hr_admin", "actor_id": 89012, "actor_location": {"country_name": "France", "ip": "10.0.1.1"}, "org_id": 34567, "org": "hr-dept", "user_id": 90123, "business": "hr-solutions", "name": "Daniel Ross", "message": "New user created in the organization."}
-{"@timestamp": 1698580080, "action": "user.delete", "active": false, "actor": "security_admin", "actor_id": 90123, "actor_location": {"country_name": "Netherlands", "ip": "10.0.1.2"}, "org_id": 45678, "org": "security-dept", "user_id": 89012, "business": "security-solutions", "name": "Alice Gray", "message": "User account deleted due to policy violation."}
-{"@timestamp": 1698580140, "action": "user.block", "active": false, "actor": "moderator", "actor_id": 12345, "actor_location": {"country_name": "Japan", "ip": "10.0.1.3"}, "org_id": 67890, "org": "mod-team", "user_id": 56789, "business": "moderation-services", "name": "John Smith", "reason": "spam_activity", "message": "User blocked for spamming."}
-{"@timestamp": 1698580200, "action": "repo.star", "active": true, "actor": "john_doe", "actor_id": 12345, "actor_location": {"country_name": "USA", "ip": "192.168.1.1"}, "org_id": 98765, "org": "starred-group", "repository": "useful-toolkit", "business": "repo-services", "message": "Repository starred by user."}
-{"@timestamp": 1698580260, "action": "repo.unstar", "active": false, "actor": "jane_doe", "actor_id": 23456, "actor_location": {"country_name": "UK", "ip": "192.168.2.1"}, "org_id": 98765, "org": "starred-group", "repository": "old-toolkit", "business": "repo-services", "message": "Repository unstarred by user."}
-{"@timestamp": 1698580320, "action": "org.create", "active": true, "actor": "super_admin", "actor_id": 34567, "actor_location": {"country_name": "Canada", "ip": "10.0.2.1"}, "org_id": 90123, "org": "new-corp", "business": "org-management", "message": "New organization created successfully."}
-{"@timestamp": 1698580380, "action": "org.delete", "active": false, "actor": "admin_lead", "actor_id": 45678, "actor_location": {"country_name": "Germany", "ip": "10.0.2.2"}, "org_id": 78901, "org": "old-corp", "business": "org-management", "message": "Organization deleted."}
-{"@timestamp": 1698580440, "action": "repo.commit", "active": true, "actor": "developer1", "actor_id": 56789, "actor_location": {"country_name": "Australia", "ip": "10.0.3.1"}, "org_id": 90123, "org": "dev-org", "repository": "project-z", "commit_id": "abc123", "business": "dev-services", "message": "Code changes committed to repository."}
-{"@timestamp": 1698580500, "action": "repo.merge", "active": true, "actor": "developer2", "actor_id": 67890, "actor_location": {"country_name": "India", "ip": "10.0.3.2"}, "org_id": 90123, "org": "merge-team", "repository": "project-y", "source_branch": "feature-x", "target_branch": "main", "business": "merge-solutions", "message": "Feature branch merged into main."}
-{"@timestamp": 1698580560, "action": "team.update", "active": true, "actor": "team_manager", "actor_id": 78901, "actor_location": {"country_name": "Spain", "ip": "10.0.4.1"}, "org_id": 67890, "org": "teamworks", "team": "data-science", "business": "teamworks", "changes": {"roles": "updated"}, "message": "Team roles updated."}
-{"@timestamp": 1698580620, "action": "org.update", "active": true, "actor": "org_admin", "actor_id": 89012, "actor_location": {"country_name": "France", "ip": "10.0.4.2"}, "org_id": 34567, "org": "big-corp", "business": "org-solutions", "changes": {"billing_plan": "enterprise"}, "message": "Organization billing plan updated."}
-{"@timestamp": 1698580680, "action": "repo.release", "active": true, "actor": "release_manager", "actor_id": 90123, "actor_location": {"country_name": "Netherlands", "ip": "10.0.5.1"}, "org_id": 56789, "org": "release-team", "repository": "product-v1", "version": "1.0.0", "business": "release-solutions", "message": "New version of repository released."}
-{"@timestamp": 1698580740, "action": "user.promote", "active": true, "actor": "super_admin", "actor_id": 12345, "actor_location": {"country_name": "Japan", "ip": "10.0.5.2"}, "org_id": 78901, "org": "mod-team", "user_id": 56789, "business": "user-management", "new_role": "moderator", "message": "User promoted to moderator."}
-{"@timestamp": 1698580800, "action": "user.demote", "active": false, "actor": "admin_lead", "actor_id": 23456, "actor_location": {"country_name": "USA", "ip": "10.0.6.1"}, "org_id": 90123, "org": "mod-team", "user_id": 67890, "business": "user-management", "old_role": "moderator", "message": "User demoted to basic user."}
+{"@timestamp": 1698579600000, "action": "user.login", "active": true, "actor": "john_doe", "actor_id": 12345, "actor_location": {"country_name": "USA", "ip": "192.168.1.1"}, "org_id": 67890, "org": "tech-corp", "user_id": 12345, "business_id": 56789, "business": "tech-enterprise", "message": "User logged in successfully.", "name": "John Doe", "device": "laptop", "login_method": "password"}
+{"@timestamp": 1698579660000, "action": "user.logout", "active": false, "actor": "jane_doe", "actor_id": 23456, "actor_location": {"country_name": "UK", "ip": "192.168.2.1"}, "org_id": 67890, "org": "tech-corp", "user_id": 23456, "business_id": 56789, "business": "tech-enterprise", "message": "User logged out.", "name": "Jane Doe", "device": "mobile", "logout_reason": "user_initiated"}
+{"@timestamp": 1698579720000, "action": "repo.create", "active": true, "actor": "alice_dev", "actor_id": 34567, "actor_location": {"country_name": "Canada", "ip": "10.0.0.1"}, "org_id": 98765, "org": "dev-group", "repository": "project-alpha", "repository_public": true, "business": "repo-services", "team": "frontend", "message": "Repository created."}
+{"@timestamp": 1698579780000, "action": "repo.delete", "active": false, "actor": "bob_admin", "actor_id": 45678, "actor_location": {"country_name": "Germany", "ip": "10.0.0.2"}, "org_id": 56789, "org": "admin-hub", "repository": "legacy-project", "repository_public": false, "business": "admin-inc", "message": "Repository deleted due to inactivity."}
+{"@timestamp": 1698579840000, "action": "repo.fork", "active": true, "actor": "charlie_dev", "actor_id": 56789, "actor_location": {"country_name": "Australia", "ip": "192.168.3.1"}, "org_id": 12345, "org": "fork-team", "repository": "open-source-tool", "forked_repository": "charlie-tool", "repository_public": true, "business": "opensource-labs", "message": "Repository forked successfully."}
+{"@timestamp": 1698579900000, "action": "team.create", "active": true, "actor": "team_manager", "actor_id": 67890, "actor_location": {"country_name": "India", "ip": "172.16.0.1"}, "org_id": 23456, "org": "team-org", "team": "backend-devs", "business": "teamworks", "message": "Team created successfully."}
+{"@timestamp": 1698579960000, "action": "team.delete", "active": false, "actor": "org_admin", "actor_id": 78901, "actor_location": {"country_name": "Spain", "ip": "172.16.0.2"}, "org_id": 23456, "org": "team-org", "team": "qa-team", "business": "teamworks", "message": "Team deleted due to reorganization."}
+{"@timestamp": 1698580020000, "action": "user.create", "active": true, "actor": "hr_admin", "actor_id": 89012, "actor_location": {"country_name": "France", "ip": "10.0.1.1"}, "org_id": 34567, "org": "hr-dept", "user_id": 90123, "business": "hr-solutions", "name": "Daniel Ross", "message": "New user created in the organization."}
+{"@timestamp": 1698580080000, "action": "user.delete", "active": false, "actor": "security_admin", "actor_id": 90123, "actor_location": {"country_name": "Netherlands", "ip": "10.0.1.2"}, "org_id": 45678, "org": "security-dept", "user_id": 89012, "business": "security-solutions", "name": "Alice Gray", "message": "User account deleted due to policy violation."}
+{"@timestamp": 1698580140000, "action": "user.block", "active": false, "actor": "moderator", "actor_id": 12345, "actor_location": {"country_name": "Japan", "ip": "10.0.1.3"}, "org_id": 67890, "org": "mod-team", "user_id": 56789, "business": "moderation-services", "name": "John Smith", "reason": "spam_activity", "message": "User blocked for spamming."}
+{"@timestamp": 1698580200000, "action": "repo.star", "active": true, "actor": "john_doe", "actor_id": 12345, "actor_location": {"country_name": "USA", "ip": "192.168.1.1"}, "org_id": 98765, "org": "starred-group", "repository": "useful-toolkit", "business": "repo-services", "message": "Repository starred by user."}
+{"@timestamp": 1698580260000, "action": "repo.unstar", "active": false, "actor": "jane_doe", "actor_id": 23456, "actor_location": {"country_name": "UK", "ip": "192.168.2.1"}, "org_id": 98765, "org": "starred-group", "repository": "old-toolkit", "business": "repo-services", "message": "Repository unstarred by user."}
+{"@timestamp": 1698580320000, "action": "org.create", "active": true, "actor": "super_admin", "actor_id": 34567, "actor_location": {"country_name": "Canada", "ip": "10.0.2.1"}, "org_id": 90123, "org": "new-corp", "business": "org-management", "message": "New organization created successfully."}
+{"@timestamp": 1698580380000, "action": "org.delete", "active": false, "actor": "admin_lead", "actor_id": 45678, "actor_location": {"country_name": "Germany", "ip": "10.0.2.2"}, "org_id": 78901, "org": "old-corp", "business": "org-management", "message": "Organization deleted."}
+{"@timestamp": 1698580440000, "action": "repo.commit", "active": true, "actor": "developer1", "actor_id": 56789, "actor_location": {"country_name": "Australia", "ip": "10.0.3.1"}, "org_id": 90123, "org": "dev-org", "repository": "project-z", "commit_id": "abc123", "business": "dev-services", "message": "Code changes committed to repository."}
+{"@timestamp": 1698580500000, "action": "repo.merge", "active": true, "actor": "developer2", "actor_id": 67890, "actor_location": {"country_name": "India", "ip": "10.0.3.2"}, "org_id": 90123, "org": "merge-team", "repository": "project-y", "source_branch": "feature-x", "target_branch": "main", "business": "merge-solutions", "message": "Feature branch merged into main."}
+{"@timestamp": 1698580560000, "action": "team.update", "active": true, "actor": "team_manager", "actor_id": 78901, "actor_location": {"country_name": "Spain", "ip": "10.0.4.1"}, "org_id": 67890, "org": "teamworks", "team": "data-science", "business": "teamworks", "changes": {"roles": "updated"}, "message": "Team roles updated."}
+{"@timestamp": 1698580620000, "action": "org.update", "active": true, "actor": "org_admin", "actor_id": 89012, "actor_location": {"country_name": "France", "ip": "10.0.4.2"}, "org_id": 34567, "org": "big-corp", "business": "org-solutions", "changes": {"billing_plan": "enterprise"}, "message": "Organization billing plan updated."}
+{"@timestamp": 1698580680000, "action": "repo.release", "active": true, "actor": "release_manager", "actor_id": 90123, "actor_location": {"country_name": "Netherlands", "ip": "10.0.5.1"}, "org_id": 56789, "org": "release-team", "repository": "product-v1", "version": "1.0.0", "business": "release-solutions", "message": "New version of repository released."}
+{"@timestamp": 1698580740000, "action": "user.promote", "active": true, "actor": "super_admin", "actor_id": 12345, "actor_location": {"country_name": "Japan", "ip": "10.0.5.2"}, "org_id": 78901, "org": "mod-team", "user_id": 56789, "business": "user-management", "new_role": "moderator", "message": "User promoted to moderator."}
+{"@timestamp": 1698580800000, "action": "user.demote", "active": false, "actor": "admin_lead", "actor_id": 23456, "actor_location": {"country_name": "USA", "ip": "10.0.6.1"}, "org_id": 90123, "org": "mod-team", "user_id": 67890, "business": "user-management", "old_role": "moderator", "message": "User demoted to basic user."}