GitHub via Webhook – Netenrich

Table of Contents:

Prerequisites:

1. Admin access to GitHub.

2. Having access to Google Console to create API Key.

1. Before You Begin

A. Create Google API Key:

1. Go to the Google Cloud Platform Console

2. Select Project Name.

2. Select APIs & Services > Credentials.

3. On the Credentials page, click CREATE CREDENTIALS > API key

4. The API key created dialog displays your newly created API key.

Note: The new API key is listed on the Credentials page under API keys. On the following page, you can rename, copy, regenerate, delete & restrict the created API key.

5. Now Edit API key by clicking on the three dots and go to API restrictions and Select ‘Chronicle API’ to restrict.

6. Click SAVE

B. Configure GitHub Feed in Chronicle:

1. From the Google Security Operations menu, select Settings, and then click FEEDS.

2. Click Add NEW.

3. In the Feed name field, enter a name for the feed.

4. In the Source type list, select Webhook.

5. Select the Log type as GitHub

6. Click Next.

7. Review your new feed configuration in the Finalize screen, and then click Submit.

8. Click Generate Secret Key to generate a secret key to authenticate this feed.

9. Copy and store the Secret Key as you cannot view this secret again.

Note: You can generate a new secret key again, but regeneration of the secret key makes the previous secret key obsolete.

11. Go to the Details tab, copy the feed endpoint URL from the Endpoint Information field.

12. Click Done.

2. Specify the Webhook URL

a. Now specify the API key and Secret key using query parameters in the following format:

ENDPOINT_URL?key=API_KEY&secret=SECRET

Replace the following:

ENDPOINT_URL = Chronicle Feed URL

key = API Key from Google Console

secret = Secret key from Feed

Example:

https://us-chronicle.googleapis.com/v1alpha/projects/681493028384/locations/us/instances/5a6d4386-8883-4bc2-9cd0-3607e21a95f0/feeds/d73Cfd76-f76a-4eb6-9e40-c8a0d4e5a8d8:importPushLogs?key= AIzaSyBrLGPOKiaMBQE-hrAGH&secret=4bcdb97cc449da2ac47c4f7331a31691c1d4a53d7511aa43e58618

3. Configuration of Webhook in GitHub

1. Navigate to your GitHub Repository (Choose Repository that you want to send logs).

2. Go to Settings > Webhooks

3. Click Add webhook

4. Payload URL: Add the Feed Webhook URL created at the along with API key & Secret Key

Example:

5. Select application/json as the Content type

6. Choose the events that trigger the webhook:

Just the push event – If you choose this option, will trigger only ‘push’ events.
Let me select individual events – If you choose this option, allows you to specify which events (e.g., Push, Pull, Issues, Repositories, Workflow, … etc.) should be sent to Chronicle.
Send me everything – Not recommended, as it will push all events and may result in higher data consumption in Chronicle.

7. Ensure the Active checkbox is selected.

8. Click Add webhook to save your configuration.

Check status in Chronicle:

Repeat the process for each type which needs to be onboarded to chronicle.
Once the configuration is completed, need to validate the logs in chronicle using a regular expression as (".*") this expression or with specific hostname, will provide the log source types which are ingesting to chronicle, below is the screen shot for reference.