Prerequisites:
1. Admin access to GitHub.
2. Having access to Google Console to create API Key.
1. Before You Begin
A. Create Google API Key:
1. Go to the Google Cloud Platform Console
2. Select Project Name.
2. Select APIs & Services > Credentials.
3. On the Credentials page, click CREATE CREDENTIALS > API key.
4. The API key created dialog displays your newly created API key.
Note: The new API key is listed on the Credentials page under API keys. On the following page, you can rename, copy, regenerate, delete & restrict the created API key.
5. Now Edit API key by clicking on the three dots and go to API restrictions and Select ‘Chronicle API’ to restrict.
6. Click SAVE.
B. Configure GitHub Feed in Chronicle:
1. From the Google Security Operations menu, select Settings, and then click FEEDS.
2. Click Add NEW.
3. In the Feed name field, enter a name for the feed.
4. In the Source type list, select Webhook.
5. Select the Log type as GitHub
6. Click Next.
7. Review your new feed configuration in the Finalize screen, and then click Submit.
8. Click Generate Secret Key to generate a secret key to authenticate this feed.
9. Copy and store the Secret Key as you cannot view this secret again.
Note: You can generate a new secret key again, but regeneration of the secret key makes the previous secret key obsolete.
11. Go to the Details tab, copy the feed endpoint URL from the Endpoint Information field.
12. Click Done.
2. Specify the Webhook URL
a. Now specify the API key and Secret key using query parameters in the following format:
ENDPOINT_URL?key=API_KEY&secret=SECRET
Replace the following:
ENDPOINT_URL = Chronicle Feed URL
key = API Key from Google Console
secret = Secret key from Feed
Example:
https://us-chronicle.googleapis.com/v1alpha/projects/681493028384/locations/us/instances/5a6d4386-8883-4bc2-9cd0-3607e21a95f0/feeds/d73Cfd76-f76a-4eb6-9e40-c8a0d4e5a8d8:importPushLogs?key= AIzaSyBrLGPOKiaMBQE-hrAGH&secret=4bcdb97cc449da2ac47c4f7331a31691c1d4a53d7511aa43e586183. Configuration of Webhook in GitHub
You can create webhooks to subscribe to specific events on GitHub that occur in an Enterprise, Organization and Repository.
Enterprise GitHub:
1. Navigate to top-right corner of GitHub, click your profile photo.
2. Depending on your environment, click Your enterprise, or click Your enterprises then click the enterprise you want to view.
3. At the top of the page, click ‘Settings’.
4. Under " Settings", click Hooks.
5. Click Add webhook.
6. Payload URL: Add the Feed Webhook URL created at the along with API key & Secret Key
Example:
https://us-chronicle.googleapis.com/v1alpha/projects/681493028384/locations/us/instances/5a6d4386-8883-4bc2-9cd0-3607e21a95f0/feeds/d73Cfd76-f76a-4eb6-9e40-c8a0d4e5a8d8:importPushLogs?key= AIzaSyBrLGPOKiaMBQE-hrAGH&secret=4bcdb97cc449da2ac47c4f7331a31691c1d4a53d7511aa43e58618
7. Select application/json as the Content type
8. Choose the events that trigger the webhook:
Just the push event – If you choose this option, will trigger only ‘push’ events.
Let me select individual events – If you choose this option, allows you to specify which events (e.g., Organizations, Repositories, Workflow, … etc.) should be sent to Chronicle.
9. Ensure the Active checkbox is selected.
10. Click Add webhook to save your configuration.
Organization GitHub:
1. In the upper-right corner of any page on GitHub, click your profile photo.
2. Click Your organizations.
3. To the right of the organization, click Settings.
4. In the left sidebar, click ‘Webhooks’.
5. Click Add webhook.
6. Payload URL: Add the Feed Webhook URL created at the along with API key & Secret Key
Example:
https://us-chronicle.googleapis.com/v1alpha/projects/681493028384/locations/us/instances/5a6d4386-8883-4bc2-9cd0-3607e21a95f0/feeds/d73Cfd76-f76a-4eb6-9e40-c8a0d4e5a8d8:importPushLogs?key= AIzaSyBrLGPOKiaMBQE-hrAGH&secret=4bcdb97cc449da2ac47c4f7331a31691c1d4a53d7511aa43e58618
7. Select application/json as the Content type
8. Choose the events that trigger the webhook:
Just the push event – If you choose this option, will trigger only ‘push’ events.
Let me select individual events – If you choose this option, allows you to specify which events (e.g., Push, Pull, Issues, Repositories, Workflow, … etc.) should be sent to Chronicle.
9. Ensure the Active checkbox is selected.
10. Click Add webhook to save your configuration.
Repository GitHub:
1. Navigate to your GitHub Repository (Choose Repository that you want to send logs).
2. Go to Settings > Webhooks
3. Click Add webhook
4. Payload URL: Add the Feed Webhook URL created at the along with API key & Secret Key
Example:
https://us-chronicle.googleapis.com/v1alpha/projects/681493028384/locations/us/instances/5a6d4386-8883-4bc2-9cd0-3607e21a95f0/feeds/d73Cfd76-f76a-4eb6-9e40-c8a0d4e5a8d8:importPushLogs?key= AIzaSyBrLGPOKiaMBQE-hrAGH&secret=4bcdb97cc449da2ac47c4f7331a31691c1d4a53d7511aa43e58618
5. Select application/json as the Content type
6. Choose the events that trigger the webhook:
Just the push event – If you choose this option, will trigger only ‘push’ events.
Let me select individual events – If you choose this option, allows you to specify which events (e.g., Push, Pull, Issues, Repositories, Workflow, … etc.) should be sent to Chronicle.
7. Ensure the Active checkbox is selected.
8. Click Add webhook to save your configuration.
Configuration of Audit Logs from GitHub:
Before you Begin:
To set up streaming to Google Cloud Storage, create a service account in Google Cloud with the appropriate credentials and permissions, then configure audit log streaming in GitHub using the service account's credentials for authentication.
- Create a service account for Google Cloud. You do not need to set access controls or IAM roles for this account. See Creating and managing service accounts in the Google Cloud documentation.
- Create a JSON key for the service account and store the key securely. See Creating and managing service account keys in the Google Cloud documentation.
- If you haven't yet, create a bucket. See Creating storage buckets in the Google Cloud documentation.
- Give the service account the Storage Object Creator role for the bucket. See Using Cloud IAM permissions in the Google Cloud documentation.
Configurations Audit Log:
1. In the top-right corner of GitHub, click your profile photo.
2. Depending on your environment, click Your enterprise, or click Your enterprises then click the enterprise you want to view.
3. At the top of the page, click Settings.
4. Under "Settings", click Audit log.
5. Under "Audit log", click Log streaming.
6. Select the Configure stream dropdown and click Google Cloud Storage.
7. Under "Bucket", type the Name of your Google Cloud Storage bucket.
8. Under "JSON Credentials", paste the entire contents of your service account's JSON key file.
9. To verify that GitHub can connect and write to the Google Cloud Storage bucket, click Check endpoint.
10. After you have successfully verified the endpoint, click Save.
GitHub Audit logs will be stored in the Google Cloud Storage Bucket.
Configure GitHub Feed in Chronicle:
1. From the Google Security Operations menu, select Settings, and then click FEEDS.
2. Click Add NEW.
3. In the Feed name field, enter a name for the feed.
4. In the Source type list, select Google Cloud Storage.
5. Select the Log type as GitHub
6. Now Click ‘GET A SERVICE ACCOUNT’, then Service Account will be display in the box.
7. For that Service Account need to provide the permissions
A. Login into the GCP Console and Select Project
B. Now go to the Cloud Storage and click Buckets.
C. Choose Bucket, and Click on three dots and Click Edit access
D. Now add Service Account in ‘New principals’ under Add principals and choose the Role ‘Storage Legacy Bucket Reader’ under Assign roles.
E. Click SAVE.
7.Click Next.
8. Please find the below details need update:
STORAGE BUCKET URI: Provide the Storage Bucket URL (using existing GCP Storage Bucket or Create New GCP Storage Bucket)
SOURCE DELETION OPTION: Choose ‘Never Delete Files’
ASSET NAMESPACE: Provide Namespace. Example: ‘GitHub Audit’
9. Click Next & Save.
Comments
0 comments
Please sign in to leave a comment.