diff --git a/packages/github/_dev/build/docs/README.md b/packages/github/_dev/build/docs/README.md index 1ff5f0889c0..637966189ec 100644 --- a/packages/github/_dev/build/docs/README.md +++ b/packages/github/_dev/build/docs/README.md @@ -9,10 +9,24 @@ The GitHub integration collects events from the [GitHub API](https://docs.github The GitHub audit log records all events related to the GitHub organization/enterprise. See [Organization audit log actions](https://docs.github.com/en/organizations/keeping-your-organization-secure/reviewing-the-audit-log-for-your-organization#audit-log-actions) and [Enterprise audit log actions](https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/about-the-audit-log-for-your-enterprise) for more details. To use this integration, the following prerequisites must be met: - - You must be an organization owner. - - You must be using GitHub Enterprise Cloud. - - You must use a Personal Access Token with `read:audit_log` scope. +For GitHub Enterprise Cloud: + - You must be an enterprise owner. + - Your enterprise account must be on a GitHub Enterprise Cloud plan that includes audit log access. + +For GitHub Enterprise Server: + - You need to be a site administrator to access the audit log for the entire instance. + - The audit log is part of the server deployment. Ensure audit logging is enabled in the server configuration. + +For Organizations: + - You must be an organization owner. + - You must be using GitHub Enterprise Cloud. + - The organization must be part of an enterprise plan that includes audit log functionality. + +Required scopes: + - You must use a Personal Access Token with `read:audit_log` scope. This applies to both organization and enterprise admins. + - If you're an enterprise admin, ensure your token also includes `admin:enterprise` to access enterprise-wide logs. + *This integration is not compatible with GitHub Enterprise server.* {{fields "audit"}} diff --git a/packages/github/changelog.yml b/packages/github/changelog.yml index 1403349a47a..d44909ada89 100644 --- a/packages/github/changelog.yml +++ b/packages/github/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "2.1.1" + changes: + - description: Addressed some missing documentation issues and fixed timestamp values in sample enterprise audit logs. + type: bugfix + link: https://github.com/elastic/integrations/pull/11932 - version: "2.1.0" changes: - description: Added support for enterprise audit logs in the audit data stream. diff --git a/packages/github/data_stream/audit/_dev/test/pipeline/test-enterprise-audit-json.log b/packages/github/data_stream/audit/_dev/test/pipeline/test-enterprise-audit-json.log index 90e765cde12..debbc2aff6c 100644 --- a/packages/github/data_stream/audit/_dev/test/pipeline/test-enterprise-audit-json.log +++ b/packages/github/data_stream/audit/_dev/test/pipeline/test-enterprise-audit-json.log @@ -1,21 +1,21 @@ -{"@timestamp": 1698579600, "action": "user.login", "active": true, "actor": "john_doe", "actor_id": 12345, "actor_location": {"country_name": "USA", "ip": "192.168.1.1"}, "org_id": 67890, "org": "tech-corp", "user_id": 12345, "business_id": 56789, "business": "tech-enterprise", "message": "User logged in successfully.", "name": "John Doe", "device": "laptop", "login_method": "password"} -{"@timestamp": 1698579660, "action": "user.logout", "active": false, "actor": "jane_doe", "actor_id": 23456, "actor_location": {"country_name": "UK", "ip": "192.168.2.1"}, "org_id": 67890, "org": "tech-corp", "user_id": 23456, "business_id": 56789, "business": "tech-enterprise", "message": "User logged out.", "name": "Jane Doe", "device": "mobile", "logout_reason": "user_initiated"} -{"@timestamp": 1698579720, "action": "repo.create", "active": true, "actor": "alice_dev", "actor_id": 34567, "actor_location": {"country_name": "Canada", "ip": "10.0.0.1"}, "org_id": 98765, "org": "dev-group", "repository": "project-alpha", "repository_public": true, "business": "repo-services", "team": "frontend", "message": "Repository created."} -{"@timestamp": 1698579780, "action": "repo.delete", "active": false, "actor": "bob_admin", "actor_id": 45678, "actor_location": {"country_name": "Germany", "ip": "10.0.0.2"}, "org_id": 56789, "org": "admin-hub", "repository": "legacy-project", "repository_public": false, "business": "admin-inc", "message": "Repository deleted due to inactivity."} -{"@timestamp": 1698579840, "action": "repo.fork", "active": true, "actor": "charlie_dev", "actor_id": 56789, "actor_location": {"country_name": "Australia", "ip": "192.168.3.1"}, "org_id": 12345, "org": "fork-team", "repository": "open-source-tool", "forked_repository": "charlie-tool", "repository_public": true, "business": "opensource-labs", "message": "Repository forked successfully."} -{"@timestamp": 1698579900, "action": "team.create", "active": true, "actor": "team_manager", "actor_id": 67890, "actor_location": {"country_name": "India", "ip": "172.16.0.1"}, "org_id": 23456, "org": "team-org", "team": "backend-devs", "business": "teamworks", "message": "Team created successfully."} -{"@timestamp": 1698579960, "action": "team.delete", "active": false, "actor": "org_admin", "actor_id": 78901, "actor_location": {"country_name": "Spain", "ip": "172.16.0.2"}, "org_id": 23456, "org": "team-org", "team": "qa-team", "business": "teamworks", "message": "Team deleted due to reorganization."} -{"@timestamp": 1698580020, "action": "user.create", "active": true, "actor": "hr_admin", "actor_id": 89012, "actor_location": {"country_name": "France", "ip": "10.0.1.1"}, "org_id": 34567, "org": "hr-dept", "user_id": 90123, "business": "hr-solutions", "name": "Daniel Ross", "message": "New user created in the organization."} -{"@timestamp": 1698580080, "action": "user.delete", "active": false, "actor": "security_admin", "actor_id": 90123, "actor_location": {"country_name": "Netherlands", "ip": "10.0.1.2"}, "org_id": 45678, "org": "security-dept", "user_id": 89012, "business": "security-solutions", "name": "Alice Gray", "message": "User account deleted due to policy violation."} -{"@timestamp": 1698580140, "action": "user.block", "active": false, "actor": "moderator", "actor_id": 12345, "actor_location": {"country_name": "Japan", "ip": "10.0.1.3"}, "org_id": 67890, "org": "mod-team", "user_id": 56789, "business": "moderation-services", "name": "John Smith", "reason": "spam_activity", "message": "User blocked for spamming."} -{"@timestamp": 1698580200, "action": "repo.star", "active": true, "actor": "john_doe", "actor_id": 12345, "actor_location": {"country_name": "USA", "ip": "192.168.1.1"}, "org_id": 98765, "org": "starred-group", "repository": "useful-toolkit", "business": "repo-services", "message": "Repository starred by user."} -{"@timestamp": 1698580260, "action": "repo.unstar", "active": false, "actor": "jane_doe", "actor_id": 23456, "actor_location": {"country_name": "UK", "ip": "192.168.2.1"}, "org_id": 98765, "org": "starred-group", "repository": "old-toolkit", "business": "repo-services", "message": "Repository unstarred by user."} -{"@timestamp": 1698580320, "action": "org.create", "active": true, "actor": "super_admin", "actor_id": 34567, "actor_location": {"country_name": "Canada", "ip": "10.0.2.1"}, "org_id": 90123, "org": "new-corp", "business": "org-management", "message": "New organization created successfully."} -{"@timestamp": 1698580380, "action": "org.delete", "active": false, "actor": "admin_lead", "actor_id": 45678, "actor_location": {"country_name": "Germany", "ip": "10.0.2.2"}, "org_id": 78901, "org": "old-corp", "business": "org-management", "message": "Organization deleted."} -{"@timestamp": 1698580440, "action": "repo.commit", "active": true, "actor": "developer1", "actor_id": 56789, "actor_location": {"country_name": "Australia", "ip": "10.0.3.1"}, "org_id": 90123, "org": "dev-org", "repository": "project-z", "commit_id": "abc123", "business": "dev-services", "message": "Code changes committed to repository."} -{"@timestamp": 1698580500, "action": "repo.merge", "active": true, "actor": "developer2", "actor_id": 67890, "actor_location": {"country_name": "India", "ip": "10.0.3.2"}, "org_id": 90123, "org": "merge-team", "repository": "project-y", "source_branch": "feature-x", "target_branch": "main", "business": "merge-solutions", "message": "Feature branch merged into main."} -{"@timestamp": 1698580560, "action": "team.update", "active": true, "actor": "team_manager", "actor_id": 78901, "actor_location": {"country_name": "Spain", "ip": "10.0.4.1"}, "org_id": 67890, "org": "teamworks", "team": "data-science", "business": "teamworks", "changes": {"roles": "updated"}, "message": "Team roles updated."} -{"@timestamp": 1698580620, "action": "org.update", "active": true, "actor": "org_admin", "actor_id": 89012, "actor_location": {"country_name": "France", "ip": "10.0.4.2"}, "org_id": 34567, "org": "big-corp", "business": "org-solutions", "changes": {"billing_plan": "enterprise"}, "message": "Organization billing plan updated."} -{"@timestamp": 1698580680, "action": "repo.release", "active": true, "actor": "release_manager", "actor_id": 90123, "actor_location": {"country_name": "Netherlands", "ip": "10.0.5.1"}, "org_id": 56789, "org": "release-team", "repository": "product-v1", "version": "1.0.0", "business": "release-solutions", "message": "New version of repository released."} -{"@timestamp": 1698580740, "action": "user.promote", "active": true, "actor": "super_admin", "actor_id": 12345, "actor_location": {"country_name": "Japan", "ip": "10.0.5.2"}, "org_id": 78901, "org": "mod-team", "user_id": 56789, "business": "user-management", "new_role": "moderator", "message": "User promoted to moderator."} -{"@timestamp": 1698580800, "action": "user.demote", "active": false, "actor": "admin_lead", "actor_id": 23456, "actor_location": {"country_name": "USA", "ip": "10.0.6.1"}, "org_id": 90123, "org": "mod-team", "user_id": 67890, "business": "user-management", "old_role": "moderator", "message": "User demoted to basic user."} +{"@timestamp": 1698579600000, "action": "user.login", "active": true, "actor": "john_doe", "actor_id": 12345, "actor_location": {"country_name": "USA", "ip": "192.168.1.1"}, "org_id": 67890, "org": "tech-corp", "user_id": 12345, "business_id": 56789, "business": "tech-enterprise", "message": "User logged in successfully.", "name": "John Doe", "device": "laptop", "login_method": "password"} +{"@timestamp": 1698579660000, "action": "user.logout", "active": false, "actor": "jane_doe", "actor_id": 23456, "actor_location": {"country_name": "UK", "ip": "192.168.2.1"}, "org_id": 67890, "org": "tech-corp", "user_id": 23456, "business_id": 56789, "business": "tech-enterprise", "message": "User logged out.", "name": "Jane Doe", "device": "mobile", "logout_reason": "user_initiated"} +{"@timestamp": 1698579720000, "action": "repo.create", "active": true, "actor": "alice_dev", "actor_id": 34567, "actor_location": {"country_name": "Canada", "ip": "10.0.0.1"}, "org_id": 98765, "org": "dev-group", "repository": "project-alpha", "repository_public": true, "business": "repo-services", "team": "frontend", "message": "Repository created."} +{"@timestamp": 1698579780000, "action": "repo.delete", "active": false, "actor": "bob_admin", "actor_id": 45678, "actor_location": {"country_name": "Germany", "ip": "10.0.0.2"}, "org_id": 56789, "org": "admin-hub", "repository": "legacy-project", "repository_public": false, "business": "admin-inc", "message": "Repository deleted due to inactivity."} +{"@timestamp": 1698579840000, "action": "repo.fork", "active": true, "actor": "charlie_dev", "actor_id": 56789, "actor_location": {"country_name": "Australia", "ip": "192.168.3.1"}, "org_id": 12345, "org": "fork-team", "repository": "open-source-tool", "forked_repository": "charlie-tool", "repository_public": true, "business": "opensource-labs", "message": "Repository forked successfully."} +{"@timestamp": 1698579900000, "action": "team.create", "active": true, "actor": "team_manager", "actor_id": 67890, "actor_location": {"country_name": "India", "ip": "172.16.0.1"}, "org_id": 23456, "org": "team-org", "team": "backend-devs", "business": "teamworks", "message": "Team created successfully."} +{"@timestamp": 1698579960000, "action": "team.delete", "active": false, "actor": "org_admin", "actor_id": 78901, "actor_location": {"country_name": "Spain", "ip": "172.16.0.2"}, "org_id": 23456, "org": "team-org", "team": "qa-team", "business": "teamworks", "message": "Team deleted due to reorganization."} +{"@timestamp": 1698580020000, "action": "user.create", "active": true, "actor": "hr_admin", "actor_id": 89012, "actor_location": {"country_name": "France", "ip": "10.0.1.1"}, "org_id": 34567, "org": "hr-dept", "user_id": 90123, "business": "hr-solutions", "name": "Daniel Ross", "message": "New user created in the organization."} +{"@timestamp": 1698580080000, "action": "user.delete", "active": false, "actor": "security_admin", "actor_id": 90123, "actor_location": {"country_name": "Netherlands", "ip": "10.0.1.2"}, "org_id": 45678, "org": "security-dept", "user_id": 89012, "business": "security-solutions", "name": "Alice Gray", "message": "User account deleted due to policy violation."} +{"@timestamp": 1698580140000, "action": "user.block", "active": false, "actor": "moderator", "actor_id": 12345, "actor_location": {"country_name": "Japan", "ip": "10.0.1.3"}, "org_id": 67890, "org": "mod-team", "user_id": 56789, "business": "moderation-services", "name": "John Smith", "reason": "spam_activity", "message": "User blocked for spamming."} +{"@timestamp": 1698580200000, "action": "repo.star", "active": true, "actor": "john_doe", "actor_id": 12345, "actor_location": {"country_name": "USA", "ip": "192.168.1.1"}, "org_id": 98765, "org": "starred-group", "repository": "useful-toolkit", "business": "repo-services", "message": "Repository starred by user."} +{"@timestamp": 1698580260000, "action": "repo.unstar", "active": false, "actor": "jane_doe", "actor_id": 23456, "actor_location": {"country_name": "UK", "ip": "192.168.2.1"}, "org_id": 98765, "org": "starred-group", "repository": "old-toolkit", "business": "repo-services", "message": "Repository unstarred by user."} +{"@timestamp": 1698580320000, "action": "org.create", "active": true, "actor": "super_admin", "actor_id": 34567, "actor_location": {"country_name": "Canada", "ip": "10.0.2.1"}, "org_id": 90123, "org": "new-corp", "business": "org-management", "message": "New organization created successfully."} +{"@timestamp": 1698580380000, "action": "org.delete", "active": false, "actor": "admin_lead", "actor_id": 45678, "actor_location": {"country_name": "Germany", "ip": "10.0.2.2"}, "org_id": 78901, "org": "old-corp", "business": "org-management", "message": "Organization deleted."} +{"@timestamp": 1698580440000, "action": "repo.commit", "active": true, "actor": "developer1", "actor_id": 56789, "actor_location": {"country_name": "Australia", "ip": "10.0.3.1"}, "org_id": 90123, "org": "dev-org", "repository": "project-z", "commit_id": "abc123", "business": "dev-services", "message": "Code changes committed to repository."} +{"@timestamp": 1698580500000, "action": "repo.merge", "active": true, "actor": "developer2", "actor_id": 67890, "actor_location": {"country_name": "India", "ip": "10.0.3.2"}, "org_id": 90123, "org": "merge-team", "repository": "project-y", "source_branch": "feature-x", "target_branch": "main", "business": "merge-solutions", "message": "Feature branch merged into main."} +{"@timestamp": 1698580560000, "action": "team.update", "active": true, "actor": "team_manager", "actor_id": 78901, "actor_location": {"country_name": "Spain", "ip": "10.0.4.1"}, "org_id": 67890, "org": "teamworks", "team": "data-science", "business": "teamworks", "changes": {"roles": "updated"}, "message": "Team roles updated."} +{"@timestamp": 1698580620000, "action": "org.update", "active": true, "actor": "org_admin", "actor_id": 89012, "actor_location": {"country_name": "France", "ip": "10.0.4.2"}, "org_id": 34567, "org": "big-corp", "business": "org-solutions", "changes": {"billing_plan": "enterprise"}, "message": "Organization billing plan updated."} +{"@timestamp": 1698580680000, "action": "repo.release", "active": true, "actor": "release_manager", "actor_id": 90123, "actor_location": {"country_name": "Netherlands", "ip": "10.0.5.1"}, "org_id": 56789, "org": "release-team", "repository": "product-v1", "version": "1.0.0", "business": "release-solutions", "message": "New version of repository released."} +{"@timestamp": 1698580740000, "action": "user.promote", "active": true, "actor": "super_admin", "actor_id": 12345, "actor_location": {"country_name": "Japan", "ip": "10.0.5.2"}, "org_id": 78901, "org": "mod-team", "user_id": 56789, "business": "user-management", "new_role": "moderator", "message": "User promoted to moderator."} +{"@timestamp": 1698580800000, "action": "user.demote", "active": false, "actor": "admin_lead", "actor_id": 23456, "actor_location": {"country_name": "USA", "ip": "10.0.6.1"}, "org_id": 90123, "org": "mod-team", "user_id": 67890, "business": "user-management", "old_role": "moderator", "message": "User demoted to basic user."} diff --git a/packages/github/data_stream/audit/_dev/test/pipeline/test-enterprise-audit-json.log-expected.json b/packages/github/data_stream/audit/_dev/test/pipeline/test-enterprise-audit-json.log-expected.json index 49608aa70cf..54d7ff72fb2 100644 --- a/packages/github/data_stream/audit/_dev/test/pipeline/test-enterprise-audit-json.log-expected.json +++ b/packages/github/data_stream/audit/_dev/test/pipeline/test-enterprise-audit-json.log-expected.json @@ -1,7 +1,7 @@ { "expected": [ { - "@timestamp": "1970-01-20T15:49:39.600Z", + "@timestamp": "2023-10-29T11:40:00.000Z", "ecs": { "version": "8.11.0" }, @@ -12,7 +12,7 @@ "web" ], "kind": "event", - "original": "{\"@timestamp\": 1698579600, \"action\": \"user.login\", \"active\": true, \"actor\": \"john_doe\", \"actor_id\": 12345, \"actor_location\": {\"country_name\": \"USA\", \"ip\": \"192.168.1.1\"}, \"org_id\": 67890, \"org\": \"tech-corp\", \"user_id\": 12345, \"business_id\": 56789, \"business\": \"tech-enterprise\", \"message\": \"User logged in successfully.\", \"name\": \"John Doe\", \"device\": \"laptop\", \"login_method\": \"password\"}", + "original": "{\"@timestamp\": 1698579600000, \"action\": \"user.login\", \"active\": true, \"actor\": \"john_doe\", \"actor_id\": 12345, \"actor_location\": {\"country_name\": \"USA\", \"ip\": \"192.168.1.1\"}, \"org_id\": 67890, \"org\": \"tech-corp\", \"user_id\": 12345, \"business_id\": 56789, \"business\": \"tech-enterprise\", \"message\": \"User logged in successfully.\", \"name\": \"John Doe\", \"device\": \"laptop\", \"login_method\": \"password\"}", "type": [ "change" ] @@ -34,7 +34,7 @@ } }, { - "@timestamp": "1970-01-20T15:49:39.660Z", + "@timestamp": "2023-10-29T11:41:00.000Z", "ecs": { "version": "8.11.0" }, @@ -45,7 +45,7 @@ "web" ], "kind": "event", - "original": "{\"@timestamp\": 1698579660, \"action\": \"user.logout\", \"active\": false, \"actor\": \"jane_doe\", \"actor_id\": 23456, \"actor_location\": {\"country_name\": \"UK\", \"ip\": \"192.168.2.1\"}, \"org_id\": 67890, \"org\": \"tech-corp\", \"user_id\": 23456, \"business_id\": 56789, \"business\": \"tech-enterprise\", \"message\": \"User logged out.\", \"name\": \"Jane Doe\", \"device\": \"mobile\", \"logout_reason\": \"user_initiated\"}", + "original": "{\"@timestamp\": 1698579660000, \"action\": \"user.logout\", \"active\": false, \"actor\": \"jane_doe\", \"actor_id\": 23456, \"actor_location\": {\"country_name\": \"UK\", \"ip\": \"192.168.2.1\"}, \"org_id\": 67890, \"org\": \"tech-corp\", \"user_id\": 23456, \"business_id\": 56789, \"business\": \"tech-enterprise\", \"message\": \"User logged out.\", \"name\": \"Jane Doe\", \"device\": \"mobile\", \"logout_reason\": \"user_initiated\"}", "type": [ "change" ] @@ -67,7 +67,7 @@ } }, { - "@timestamp": "1970-01-20T15:49:39.720Z", + "@timestamp": "2023-10-29T11:42:00.000Z", "ecs": { "version": "8.11.0" }, @@ -78,7 +78,7 @@ "web" ], "kind": "event", - "original": "{\"@timestamp\": 1698579720, \"action\": \"repo.create\", \"active\": true, \"actor\": \"alice_dev\", \"actor_id\": 34567, \"actor_location\": {\"country_name\": \"Canada\", \"ip\": \"10.0.0.1\"}, \"org_id\": 98765, \"org\": \"dev-group\", \"repository\": \"project-alpha\", \"repository_public\": true, \"business\": \"repo-services\", \"team\": \"frontend\", \"message\": \"Repository created.\"}", + "original": "{\"@timestamp\": 1698579720000, \"action\": \"repo.create\", \"active\": true, \"actor\": \"alice_dev\", \"actor_id\": 34567, \"actor_location\": {\"country_name\": \"Canada\", \"ip\": \"10.0.0.1\"}, \"org_id\": 98765, \"org\": \"dev-group\", \"repository\": \"project-alpha\", \"repository_public\": true, \"business\": \"repo-services\", \"team\": \"frontend\", \"message\": \"Repository created.\"}", "type": [ "creation" ] @@ -102,7 +102,7 @@ } }, { - "@timestamp": "1970-01-20T15:49:39.780Z", + "@timestamp": "2023-10-29T11:43:00.000Z", "ecs": { "version": "8.11.0" }, @@ -113,7 +113,7 @@ "web" ], "kind": "event", - "original": "{\"@timestamp\": 1698579780, \"action\": \"repo.delete\", \"active\": false, \"actor\": \"bob_admin\", \"actor_id\": 45678, \"actor_location\": {\"country_name\": \"Germany\", \"ip\": \"10.0.0.2\"}, \"org_id\": 56789, \"org\": \"admin-hub\", \"repository\": \"legacy-project\", \"repository_public\": false, \"business\": \"admin-inc\", \"message\": \"Repository deleted due to inactivity.\"}", + "original": "{\"@timestamp\": 1698579780000, \"action\": \"repo.delete\", \"active\": false, \"actor\": \"bob_admin\", \"actor_id\": 45678, \"actor_location\": {\"country_name\": \"Germany\", \"ip\": \"10.0.0.2\"}, \"org_id\": 56789, \"org\": \"admin-hub\", \"repository\": \"legacy-project\", \"repository_public\": false, \"business\": \"admin-inc\", \"message\": \"Repository deleted due to inactivity.\"}", "type": [ "deletion" ] @@ -136,7 +136,7 @@ } }, { - "@timestamp": "1970-01-20T15:49:39.840Z", + "@timestamp": "2023-10-29T11:44:00.000Z", "ecs": { "version": "8.11.0" }, @@ -147,7 +147,7 @@ "web" ], "kind": "event", - "original": "{\"@timestamp\": 1698579840, \"action\": \"repo.fork\", \"active\": true, \"actor\": \"charlie_dev\", \"actor_id\": 56789, \"actor_location\": {\"country_name\": \"Australia\", \"ip\": \"192.168.3.1\"}, \"org_id\": 12345, \"org\": \"fork-team\", \"repository\": \"open-source-tool\", \"forked_repository\": \"charlie-tool\", \"repository_public\": true, \"business\": \"opensource-labs\", \"message\": \"Repository forked successfully.\"}", + "original": "{\"@timestamp\": 1698579840000, \"action\": \"repo.fork\", \"active\": true, \"actor\": \"charlie_dev\", \"actor_id\": 56789, \"actor_location\": {\"country_name\": \"Australia\", \"ip\": \"192.168.3.1\"}, \"org_id\": 12345, \"org\": \"fork-team\", \"repository\": \"open-source-tool\", \"forked_repository\": \"charlie-tool\", \"repository_public\": true, \"business\": \"opensource-labs\", \"message\": \"Repository forked successfully.\"}", "type": [ "change" ] @@ -170,7 +170,7 @@ } }, { - "@timestamp": "1970-01-20T15:49:39.900Z", + "@timestamp": "2023-10-29T11:45:00.000Z", "ecs": { "version": "8.11.0" }, @@ -182,7 +182,7 @@ "iam" ], "kind": "event", - "original": "{\"@timestamp\": 1698579900, \"action\": \"team.create\", \"active\": true, \"actor\": \"team_manager\", \"actor_id\": 67890, \"actor_location\": {\"country_name\": \"India\", \"ip\": \"172.16.0.1\"}, \"org_id\": 23456, \"org\": \"team-org\", \"team\": \"backend-devs\", \"business\": \"teamworks\", \"message\": \"Team created successfully.\"}", + "original": "{\"@timestamp\": 1698579900000, \"action\": \"team.create\", \"active\": true, \"actor\": \"team_manager\", \"actor_id\": 67890, \"actor_location\": {\"country_name\": \"India\", \"ip\": \"172.16.0.1\"}, \"org_id\": 23456, \"org\": \"team-org\", \"team\": \"backend-devs\", \"business\": \"teamworks\", \"message\": \"Team created successfully.\"}", "type": [ "group", "user", @@ -210,7 +210,7 @@ } }, { - "@timestamp": "1970-01-20T15:49:39.960Z", + "@timestamp": "2023-10-29T11:46:00.000Z", "ecs": { "version": "8.11.0" }, @@ -222,7 +222,7 @@ "iam" ], "kind": "event", - "original": "{\"@timestamp\": 1698579960, \"action\": \"team.delete\", \"active\": false, \"actor\": \"org_admin\", \"actor_id\": 78901, \"actor_location\": {\"country_name\": \"Spain\", \"ip\": \"172.16.0.2\"}, \"org_id\": 23456, \"org\": \"team-org\", \"team\": \"qa-team\", \"business\": \"teamworks\", \"message\": \"Team deleted due to reorganization.\"}", + "original": "{\"@timestamp\": 1698579960000, \"action\": \"team.delete\", \"active\": false, \"actor\": \"org_admin\", \"actor_id\": 78901, \"actor_location\": {\"country_name\": \"Spain\", \"ip\": \"172.16.0.2\"}, \"org_id\": 23456, \"org\": \"team-org\", \"team\": \"qa-team\", \"business\": \"teamworks\", \"message\": \"Team deleted due to reorganization.\"}", "type": [ "group", "user", @@ -250,7 +250,7 @@ } }, { - "@timestamp": "1970-01-20T15:49:40.020Z", + "@timestamp": "2023-10-29T11:47:00.000Z", "ecs": { "version": "8.11.0" }, @@ -261,7 +261,7 @@ "web" ], "kind": "event", - "original": "{\"@timestamp\": 1698580020, \"action\": \"user.create\", \"active\": true, \"actor\": \"hr_admin\", \"actor_id\": 89012, \"actor_location\": {\"country_name\": \"France\", \"ip\": \"10.0.1.1\"}, \"org_id\": 34567, \"org\": \"hr-dept\", \"user_id\": 90123, \"business\": \"hr-solutions\", \"name\": \"Daniel Ross\", \"message\": \"New user created in the organization.\"}", + "original": "{\"@timestamp\": 1698580020000, \"action\": \"user.create\", \"active\": true, \"actor\": \"hr_admin\", \"actor_id\": 89012, \"actor_location\": {\"country_name\": \"France\", \"ip\": \"10.0.1.1\"}, \"org_id\": 34567, \"org\": \"hr-dept\", \"user_id\": 90123, \"business\": \"hr-solutions\", \"name\": \"Daniel Ross\", \"message\": \"New user created in the organization.\"}", "type": [ "creation" ] @@ -283,7 +283,7 @@ } }, { - "@timestamp": "1970-01-20T15:49:40.080Z", + "@timestamp": "2023-10-29T11:48:00.000Z", "ecs": { "version": "8.11.0" }, @@ -294,7 +294,7 @@ "web" ], "kind": "event", - "original": "{\"@timestamp\": 1698580080, \"action\": \"user.delete\", \"active\": false, \"actor\": \"security_admin\", \"actor_id\": 90123, \"actor_location\": {\"country_name\": \"Netherlands\", \"ip\": \"10.0.1.2\"}, \"org_id\": 45678, \"org\": \"security-dept\", \"user_id\": 89012, \"business\": \"security-solutions\", \"name\": \"Alice Gray\", \"message\": \"User account deleted due to policy violation.\"}", + "original": "{\"@timestamp\": 1698580080000, \"action\": \"user.delete\", \"active\": false, \"actor\": \"security_admin\", \"actor_id\": 90123, \"actor_location\": {\"country_name\": \"Netherlands\", \"ip\": \"10.0.1.2\"}, \"org_id\": 45678, \"org\": \"security-dept\", \"user_id\": 89012, \"business\": \"security-solutions\", \"name\": \"Alice Gray\", \"message\": \"User account deleted due to policy violation.\"}", "type": [ "deletion" ] @@ -316,7 +316,7 @@ } }, { - "@timestamp": "1970-01-20T15:49:40.140Z", + "@timestamp": "2023-10-29T11:49:00.000Z", "ecs": { "version": "8.11.0" }, @@ -327,7 +327,7 @@ "web" ], "kind": "event", - "original": "{\"@timestamp\": 1698580140, \"action\": \"user.block\", \"active\": false, \"actor\": \"moderator\", \"actor_id\": 12345, \"actor_location\": {\"country_name\": \"Japan\", \"ip\": \"10.0.1.3\"}, \"org_id\": 67890, \"org\": \"mod-team\", \"user_id\": 56789, \"business\": \"moderation-services\", \"name\": \"John Smith\", \"reason\": \"spam_activity\", \"message\": \"User blocked for spamming.\"}", + "original": "{\"@timestamp\": 1698580140000, \"action\": \"user.block\", \"active\": false, \"actor\": \"moderator\", \"actor_id\": 12345, \"actor_location\": {\"country_name\": \"Japan\", \"ip\": \"10.0.1.3\"}, \"org_id\": 67890, \"org\": \"mod-team\", \"user_id\": 56789, \"business\": \"moderation-services\", \"name\": \"John Smith\", \"reason\": \"spam_activity\", \"message\": \"User blocked for spamming.\"}", "type": [ "change" ] @@ -349,7 +349,7 @@ } }, { - "@timestamp": "1970-01-20T15:49:40.200Z", + "@timestamp": "2023-10-29T11:50:00.000Z", "ecs": { "version": "8.11.0" }, @@ -360,7 +360,7 @@ "web" ], "kind": "event", - "original": "{\"@timestamp\": 1698580200, \"action\": \"repo.star\", \"active\": true, \"actor\": \"john_doe\", \"actor_id\": 12345, \"actor_location\": {\"country_name\": \"USA\", \"ip\": \"192.168.1.1\"}, \"org_id\": 98765, \"org\": \"starred-group\", \"repository\": \"useful-toolkit\", \"business\": \"repo-services\", \"message\": \"Repository starred by user.\"}", + "original": "{\"@timestamp\": 1698580200000, \"action\": \"repo.star\", \"active\": true, \"actor\": \"john_doe\", \"actor_id\": 12345, \"actor_location\": {\"country_name\": \"USA\", \"ip\": \"192.168.1.1\"}, \"org_id\": 98765, \"org\": \"starred-group\", \"repository\": \"useful-toolkit\", \"business\": \"repo-services\", \"message\": \"Repository starred by user.\"}", "type": [ "change" ] @@ -382,7 +382,7 @@ } }, { - "@timestamp": "1970-01-20T15:49:40.260Z", + "@timestamp": "2023-10-29T11:51:00.000Z", "ecs": { "version": "8.11.0" }, @@ -393,7 +393,7 @@ "web" ], "kind": "event", - "original": "{\"@timestamp\": 1698580260, \"action\": \"repo.unstar\", \"active\": false, \"actor\": \"jane_doe\", \"actor_id\": 23456, \"actor_location\": {\"country_name\": \"UK\", \"ip\": \"192.168.2.1\"}, \"org_id\": 98765, \"org\": \"starred-group\", \"repository\": \"old-toolkit\", \"business\": \"repo-services\", \"message\": \"Repository unstarred by user.\"}", + "original": "{\"@timestamp\": 1698580260000, \"action\": \"repo.unstar\", \"active\": false, \"actor\": \"jane_doe\", \"actor_id\": 23456, \"actor_location\": {\"country_name\": \"UK\", \"ip\": \"192.168.2.1\"}, \"org_id\": 98765, \"org\": \"starred-group\", \"repository\": \"old-toolkit\", \"business\": \"repo-services\", \"message\": \"Repository unstarred by user.\"}", "type": [ "change" ] @@ -415,7 +415,7 @@ } }, { - "@timestamp": "1970-01-20T15:49:40.320Z", + "@timestamp": "2023-10-29T11:52:00.000Z", "ecs": { "version": "8.11.0" }, @@ -427,7 +427,7 @@ "iam" ], "kind": "event", - "original": "{\"@timestamp\": 1698580320, \"action\": \"org.create\", \"active\": true, \"actor\": \"super_admin\", \"actor_id\": 34567, \"actor_location\": {\"country_name\": \"Canada\", \"ip\": \"10.0.2.1\"}, \"org_id\": 90123, \"org\": \"new-corp\", \"business\": \"org-management\", \"message\": \"New organization created successfully.\"}", + "original": "{\"@timestamp\": 1698580320000, \"action\": \"org.create\", \"active\": true, \"actor\": \"super_admin\", \"actor_id\": 34567, \"actor_location\": {\"country_name\": \"Canada\", \"ip\": \"10.0.2.1\"}, \"org_id\": 90123, \"org\": \"new-corp\", \"business\": \"org-management\", \"message\": \"New organization created successfully.\"}", "type": [ "group", "user", @@ -454,7 +454,7 @@ } }, { - "@timestamp": "1970-01-20T15:49:40.380Z", + "@timestamp": "2023-10-29T11:53:00.000Z", "ecs": { "version": "8.11.0" }, @@ -466,7 +466,7 @@ "iam" ], "kind": "event", - "original": "{\"@timestamp\": 1698580380, \"action\": \"org.delete\", \"active\": false, \"actor\": \"admin_lead\", \"actor_id\": 45678, \"actor_location\": {\"country_name\": \"Germany\", \"ip\": \"10.0.2.2\"}, \"org_id\": 78901, \"org\": \"old-corp\", \"business\": \"org-management\", \"message\": \"Organization deleted.\"}", + "original": "{\"@timestamp\": 1698580380000, \"action\": \"org.delete\", \"active\": false, \"actor\": \"admin_lead\", \"actor_id\": 45678, \"actor_location\": {\"country_name\": \"Germany\", \"ip\": \"10.0.2.2\"}, \"org_id\": 78901, \"org\": \"old-corp\", \"business\": \"org-management\", \"message\": \"Organization deleted.\"}", "type": [ "group", "user", @@ -493,7 +493,7 @@ } }, { - "@timestamp": "1970-01-20T15:49:40.440Z", + "@timestamp": "2023-10-29T11:54:00.000Z", "ecs": { "version": "8.11.0" }, @@ -504,7 +504,7 @@ "web" ], "kind": "event", - "original": "{\"@timestamp\": 1698580440, \"action\": \"repo.commit\", \"active\": true, \"actor\": \"developer1\", \"actor_id\": 56789, \"actor_location\": {\"country_name\": \"Australia\", \"ip\": \"10.0.3.1\"}, \"org_id\": 90123, \"org\": \"dev-org\", \"repository\": \"project-z\", \"commit_id\": \"abc123\", \"business\": \"dev-services\", \"message\": \"Code changes committed to repository.\"}", + "original": "{\"@timestamp\": 1698580440000, \"action\": \"repo.commit\", \"active\": true, \"actor\": \"developer1\", \"actor_id\": 56789, \"actor_location\": {\"country_name\": \"Australia\", \"ip\": \"10.0.3.1\"}, \"org_id\": 90123, \"org\": \"dev-org\", \"repository\": \"project-z\", \"commit_id\": \"abc123\", \"business\": \"dev-services\", \"message\": \"Code changes committed to repository.\"}", "type": [ "change" ] @@ -526,7 +526,7 @@ } }, { - "@timestamp": "1970-01-20T15:49:40.500Z", + "@timestamp": "2023-10-29T11:55:00.000Z", "ecs": { "version": "8.11.0" }, @@ -537,7 +537,7 @@ "web" ], "kind": "event", - "original": "{\"@timestamp\": 1698580500, \"action\": \"repo.merge\", \"active\": true, \"actor\": \"developer2\", \"actor_id\": 67890, \"actor_location\": {\"country_name\": \"India\", \"ip\": \"10.0.3.2\"}, \"org_id\": 90123, \"org\": \"merge-team\", \"repository\": \"project-y\", \"source_branch\": \"feature-x\", \"target_branch\": \"main\", \"business\": \"merge-solutions\", \"message\": \"Feature branch merged into main.\"}", + "original": "{\"@timestamp\": 1698580500000, \"action\": \"repo.merge\", \"active\": true, \"actor\": \"developer2\", \"actor_id\": 67890, \"actor_location\": {\"country_name\": \"India\", \"ip\": \"10.0.3.2\"}, \"org_id\": 90123, \"org\": \"merge-team\", \"repository\": \"project-y\", \"source_branch\": \"feature-x\", \"target_branch\": \"main\", \"business\": \"merge-solutions\", \"message\": \"Feature branch merged into main.\"}", "type": [ "change" ] @@ -559,7 +559,7 @@ } }, { - "@timestamp": "1970-01-20T15:49:40.560Z", + "@timestamp": "2023-10-29T11:56:00.000Z", "ecs": { "version": "8.11.0" }, @@ -571,7 +571,7 @@ "iam" ], "kind": "event", - "original": "{\"@timestamp\": 1698580560, \"action\": \"team.update\", \"active\": true, \"actor\": \"team_manager\", \"actor_id\": 78901, \"actor_location\": {\"country_name\": \"Spain\", \"ip\": \"10.0.4.1\"}, \"org_id\": 67890, \"org\": \"teamworks\", \"team\": \"data-science\", \"business\": \"teamworks\", \"changes\": {\"roles\": \"updated\"}, \"message\": \"Team roles updated.\"}", + "original": "{\"@timestamp\": 1698580560000, \"action\": \"team.update\", \"active\": true, \"actor\": \"team_manager\", \"actor_id\": 78901, \"actor_location\": {\"country_name\": \"Spain\", \"ip\": \"10.0.4.1\"}, \"org_id\": 67890, \"org\": \"teamworks\", \"team\": \"data-science\", \"business\": \"teamworks\", \"changes\": {\"roles\": \"updated\"}, \"message\": \"Team roles updated.\"}", "type": [ "group", "user" @@ -598,7 +598,7 @@ } }, { - "@timestamp": "1970-01-20T15:49:40.620Z", + "@timestamp": "2023-10-29T11:57:00.000Z", "ecs": { "version": "8.11.0" }, @@ -610,7 +610,7 @@ "iam" ], "kind": "event", - "original": "{\"@timestamp\": 1698580620, \"action\": \"org.update\", \"active\": true, \"actor\": \"org_admin\", \"actor_id\": 89012, \"actor_location\": {\"country_name\": \"France\", \"ip\": \"10.0.4.2\"}, \"org_id\": 34567, \"org\": \"big-corp\", \"business\": \"org-solutions\", \"changes\": {\"billing_plan\": \"enterprise\"}, \"message\": \"Organization billing plan updated.\"}", + "original": "{\"@timestamp\": 1698580620000, \"action\": \"org.update\", \"active\": true, \"actor\": \"org_admin\", \"actor_id\": 89012, \"actor_location\": {\"country_name\": \"France\", \"ip\": \"10.0.4.2\"}, \"org_id\": 34567, \"org\": \"big-corp\", \"business\": \"org-solutions\", \"changes\": {\"billing_plan\": \"enterprise\"}, \"message\": \"Organization billing plan updated.\"}", "type": [ "group", "user" @@ -636,7 +636,7 @@ } }, { - "@timestamp": "1970-01-20T15:49:40.680Z", + "@timestamp": "2023-10-29T11:58:00.000Z", "ecs": { "version": "8.11.0" }, @@ -647,7 +647,7 @@ "web" ], "kind": "event", - "original": "{\"@timestamp\": 1698580680, \"action\": \"repo.release\", \"active\": true, \"actor\": \"release_manager\", \"actor_id\": 90123, \"actor_location\": {\"country_name\": \"Netherlands\", \"ip\": \"10.0.5.1\"}, \"org_id\": 56789, \"org\": \"release-team\", \"repository\": \"product-v1\", \"version\": \"1.0.0\", \"business\": \"release-solutions\", \"message\": \"New version of repository released.\"}", + "original": "{\"@timestamp\": 1698580680000, \"action\": \"repo.release\", \"active\": true, \"actor\": \"release_manager\", \"actor_id\": 90123, \"actor_location\": {\"country_name\": \"Netherlands\", \"ip\": \"10.0.5.1\"}, \"org_id\": 56789, \"org\": \"release-team\", \"repository\": \"product-v1\", \"version\": \"1.0.0\", \"business\": \"release-solutions\", \"message\": \"New version of repository released.\"}", "type": [ "change" ] @@ -669,7 +669,7 @@ } }, { - "@timestamp": "1970-01-20T15:49:40.740Z", + "@timestamp": "2023-10-29T11:59:00.000Z", "ecs": { "version": "8.11.0" }, @@ -680,7 +680,7 @@ "web" ], "kind": "event", - "original": "{\"@timestamp\": 1698580740, \"action\": \"user.promote\", \"active\": true, \"actor\": \"super_admin\", \"actor_id\": 12345, \"actor_location\": {\"country_name\": \"Japan\", \"ip\": \"10.0.5.2\"}, \"org_id\": 78901, \"org\": \"mod-team\", \"user_id\": 56789, \"business\": \"user-management\", \"new_role\": \"moderator\", \"message\": \"User promoted to moderator.\"}", + "original": "{\"@timestamp\": 1698580740000, \"action\": \"user.promote\", \"active\": true, \"actor\": \"super_admin\", \"actor_id\": 12345, \"actor_location\": {\"country_name\": \"Japan\", \"ip\": \"10.0.5.2\"}, \"org_id\": 78901, \"org\": \"mod-team\", \"user_id\": 56789, \"business\": \"user-management\", \"new_role\": \"moderator\", \"message\": \"User promoted to moderator.\"}", "type": [ "change" ] @@ -702,7 +702,7 @@ } }, { - "@timestamp": "1970-01-20T15:49:40.800Z", + "@timestamp": "2023-10-29T12:00:00.000Z", "ecs": { "version": "8.11.0" }, @@ -713,7 +713,7 @@ "web" ], "kind": "event", - "original": "{\"@timestamp\": 1698580800, \"action\": \"user.demote\", \"active\": false, \"actor\": \"admin_lead\", \"actor_id\": 23456, \"actor_location\": {\"country_name\": \"USA\", \"ip\": \"10.0.6.1\"}, \"org_id\": 90123, \"org\": \"mod-team\", \"user_id\": 67890, \"business\": \"user-management\", \"old_role\": \"moderator\", \"message\": \"User demoted to basic user.\"}", + "original": "{\"@timestamp\": 1698580800000, \"action\": \"user.demote\", \"active\": false, \"actor\": \"admin_lead\", \"actor_id\": 23456, \"actor_location\": {\"country_name\": \"USA\", \"ip\": \"10.0.6.1\"}, \"org_id\": 90123, \"org\": \"mod-team\", \"user_id\": 67890, \"business\": \"user-management\", \"old_role\": \"moderator\", \"message\": \"User demoted to basic user.\"}", "type": [ "change" ] diff --git a/packages/github/data_stream/audit/manifest.yml b/packages/github/data_stream/audit/manifest.yml index a48b7c4208f..8c34ccd5f87 100644 --- a/packages/github/data_stream/audit/manifest.yml +++ b/packages/github/data_stream/audit/manifest.yml @@ -18,14 +18,14 @@ streams: - name: organization type: text title: Organization Name - description: The GitHub organization name/ID. Either `organization` or `enterprise` must be set. + description: The GitHub organization name/ID. Either `Organization Name` or `Enterprise Name` must be set. multi: false required: false show_user: true - name: enterprise type: text title: Enterprise Name - description: The GitHub enterprise name/ID. Either `organization` or `enterprise` must be set. + description: The GitHub enterprise name/ID. Either `Organization Name` or `Enterprise Name` must be set. multi: false required: false show_user: true diff --git a/packages/github/docs/README.md b/packages/github/docs/README.md index e5d07252e95..7d753fe7019 100644 --- a/packages/github/docs/README.md +++ b/packages/github/docs/README.md @@ -9,10 +9,24 @@ The GitHub integration collects events from the [GitHub API](https://docs.github The GitHub audit log records all events related to the GitHub organization/enterprise. See [Organization audit log actions](https://docs.github.com/en/organizations/keeping-your-organization-secure/reviewing-the-audit-log-for-your-organization#audit-log-actions) and [Enterprise audit log actions](https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/about-the-audit-log-for-your-enterprise) for more details. To use this integration, the following prerequisites must be met: - - You must be an organization owner. - - You must be using GitHub Enterprise Cloud. - - You must use a Personal Access Token with `read:audit_log` scope. +For GitHub Enterprise Cloud: + - You must be an enterprise owner. + - Your enterprise account must be on a GitHub Enterprise Cloud plan that includes audit log access. + +For GitHub Enterprise Server: + - You need to be a site administrator to access the audit log for the entire instance. + - The audit log is part of the server deployment. Ensure audit logging is enabled in the server configuration. + +For Organizations: + - You must be an organization owner. + - You must be using GitHub Enterprise Cloud. + - The organization must be part of an enterprise plan that includes audit log functionality. + +Required scopes: + - You must use a Personal Access Token with `read:audit_log` scope. This applies to both organization and enterprise admins. + - If you're an enterprise admin, ensure your token also includes `admin:enterprise` to access enterprise-wide logs. + *This integration is not compatible with GitHub Enterprise server.* **Exported fields** diff --git a/packages/github/manifest.yml b/packages/github/manifest.yml index e036cf3927d..48695c4886a 100644 --- a/packages/github/manifest.yml +++ b/packages/github/manifest.yml @@ -1,6 +1,6 @@ name: github title: GitHub -version: "2.1.0" +version: "2.1.1" description: Collect logs from GitHub with Elastic Agent. type: integration format_version: "3.0.2"