Collect GitHub audit logs

Supported in:

Google SecOps SIEM

Overview

This parser handles GitHub audit logs in JSON format. It cleans the input by removing numerous fields, performs several grok and key-value operations based on the process_type field to extract relevant information, maps the extracted fields to the UDM, and structures the output for Google SecOps ingestion. It also handles specific edge cases and performs data transformations for different log subtypes within the GitHub audit logs.

Before you begin

Ensure that you have a Google SecOps instance.
Ensure that you have privileged access to GitHub repositories.

Configure a feed in Google SecOps to ingest the GitHub logs

Go to SIEM Settings > Feeds.
Click Add new.
In the Feed name field, enter a name for the feed (for example, GitHub Logs).
Select Webhook as the Source type.
Select GitHub as the Log type.
Click Next.
Optional: specify values for the following input parameters:
- Split delimiter: the delimiter that is used to separate log lines, such as \n.
- Asset namespace: the asset namespace.
- Ingestion labels: the label applied to the events from this feed.
Click Next.
Review the feed configuration in the Finalize screen, and then click Submit.
Click Generate Secret Key to generate a secret key to authenticate this feed.
Copy and store the secret key. You cannot view this secret key again. If needed, you can regenerate a new secret key, but this action makes the previous secret key obsolete.
On the Details tab, copy the feed endpoint URL from the Endpoint Information field. You need to specify this endpoint URL in your client application.
Click Done.

Create an API key for the webhook feed

Go to Google Cloud console > Credentials.

Go to Credentials
Click Create credentials, and then select API key.
Restrict the API key access to the Google Security Operations API.

Specify the endpoint URL

In your client application, specify the HTTPS endpoint URL provided in the webhook feed.
Enable authentication by specifying the API key and secret key as part of the custom header in the following format:
```
X-goog-api-key = API_KEY
X-Webhook-Access-Key = SECRET
```
Recommendation: Specify the API key as a header instead of specifying it in the URL. If your webhook client doesn't support custom headers, you can specify the API key and secret key using query parameters in the following format:
```
ENDPOINT_URL?key=API_KEY&secret=SECRET
```

Replace the following:

ENDPOINT_URL: the feed endpoint URL.
API_KEY: the API key to authenticate to Google Security Operations.
SECRET: the secret key that you generated to authenticate the feed.

Create a Webhook on GitHub

This guide provides step-by-step instructions for creating a webhook on GitHub to send data to Google SecOps.

Navigate to your GitHub repository.
Go to Settings.
Click Webhooks.
Click Add webhook.
In the Payload URL field, enter the Google SecOps API endpoint URL.
Select application/json as the Content type.

Optional: For enhanced security, set a Secret. This generates a signature for webhook payloads, allowing you to verify their authenticity on the Google SecOps side. If you use a secret, configure it in your Google SecOps feed as well.
Choose the events that trigger the webhook. For comprehensive logging, select Let me select individual events and check the relevant events (for example, Push, Pull Request, Issue). If you are unsure, start with Just the push event.
Ensure the Active checkbox is selected.
Click Add webhook to save your configuration.

UDM Mapping Table

Log Field	UDM Mapping	Logic
`_document_id`	`read_only_udm.additional.fields.[].key`, `read_only_udm.additional.fields.[].value.string_value`	The `_document_id` from the raw log is mapped to a key-value pair in the `additional.fields` array within the UDM.
`action`	`read_only_udm.metadata.product_event_type`, `read_only_udm.security_result.summary`	The `action` field is mapped to `product_event_type` in the metadata and `summary` in the `security_result`.
`actor`	`read_only_udm.principal.user.userid`	The `actor` field, representing the user performing the action, is mapped to `principal.user.userid`.
`actor_id`	`read_only_udm.principal.user.attribute.labels.[].key`, `read_only_udm.principal.user.attribute.labels.[].value`	The `actor_id` is mapped as a label within the `principal.user.attribute.labels` array.
`actor_ip`	`read_only_udm.principal.ip`	The actor's IP address is mapped to `principal.ip`.
`actor_location.country_code`	`read_only_udm.principal.location.country_or_region`	The actor's country code is mapped to `principal.location.country_or_region`.
`application_name`	`read_only_udm.target.application`	The application name is mapped to `target.application`.
`business`	`read_only_udm.target.user.company_name`, `read_only_udm.additional.fields.[].key`, `read_only_udm.additional.fields.[].value.string_value`	The business name is mapped to `target.user.company_name` and as a key-value pair in `additional.fields`.
`business_id`	`read_only_udm.target.resource.attribute.labels.[].key`, `read_only_udm.target.resource.attribute.labels.[].value`	The business ID is mapped as a label within the `target.resource.attribute.labels` array.
`config.url`	`read_only_udm.target.url`	The configuration URL is mapped to `target.url`.
`created_at`	`read_only_udm.metadata.event_timestamp`	The `created_at` timestamp is converted to the appropriate format and mapped to `metadata.event_timestamp`.
`data.cancelled_at`	`read_only_udm.extensions.vulns.vulnerabilities.scan_end_time`	The `data.cancelled_at` timestamp is converted and mapped to `extensions.vulns.vulnerabilities.scan_end_time`.
`data.email`	`read_only_udm.target.email`	The email address from the data field is mapped to `target.email`.
`data.event`	`read_only_udm.security_result.about.labels.[].key`, `read_only_udm.security_result.about.labels.[].value`	The event from the data field is mapped as a label within the `security_result.about.labels` array.
`data.events`	`read_only_udm.security_result.about.labels.[].key`, `read_only_udm.security_result.about.labels.[].value`	Events from the data field are mapped as labels within the `security_result.about.labels` array.
`data.head_branch`	`read_only_udm.security_result.about.labels.[].key`, `read_only_udm.security_result.about.labels.[].value`	The head branch from the data field is mapped as a label within the `security_result.about.labels` array.
`data.head_sha`	`read_only_udm.target.file.sha256`	The head SHA from the data field is mapped to `target.file.sha256`.
`data.hook_id`	`read_only_udm.target.resource.attribute.labels.[].key`, `read_only_udm.target.resource.attribute.labels.[].value`	The hook ID from the data field is mapped as a label within the `target.resource.attribute.labels` array.
`data.started_at`	`read_only_udm.extensions.vulns.vulnerabilities.scan_start_time`	The `data.started_at` timestamp is converted and mapped to `extensions.vulns.vulnerabilities.scan_start_time`.
`data.team`	`read_only_udm.target.user.group_identifiers`	The team from the data field is mapped to `target.user.group_identifiers`.
`data.trigger_id`	`read_only_udm.security_result.about.labels.[].key`, `read_only_udm.security_result.about.labels.[].value`	The trigger ID from the data field is mapped as a label within the `security_result.about.labels` array.
`data.workflow_id`	`read_only_udm.security_result.about.labels.[].key`, `read_only_udm.security_result.about.labels.[].value`	The workflow ID from the data field is mapped as a label within the `security_result.about.labels` array.
`data.workflow_run_id`	`read_only_udm.security_result.about.labels.[].key`, `read_only_udm.security_result.about.labels.[].value`	The workflow run ID from the data field is mapped as a label within the `security_result.about.labels` array.
`enterprise.name`	`read_only_udm.additional.fields.[].key`, `read_only_udm.additional.fields.[].value.string_value`	The enterprise name is mapped as a key-value pair in `additional.fields`.
`external_identity_nameid`	`read_only_udm.target.user.userid`, `read_only_udm.target.user.email_addresses`	If the `external_identity_nameid` is an email address, the username part is extracted and mapped to `target.user.userid`, and the full email is added to `target.user.email_addresses`. Otherwise, the entire value is mapped to `target.user.userid`.
`external_identity_username`	`read_only_udm.target.user.user_display_name`	The external identity username is mapped to `target.user.user_display_name`.
`hashed_token`	`read_only_udm.network.session_id`	The hashed token is mapped to `network.session_id`.
`org`	`read_only_udm.target.administrative_domain`	The organization is mapped to `target.administrative_domain`.
`org_id`	`read_only_udm.additional.fields.[].key`, `read_only_udm.additional.fields.[].value.string_value`	The organization ID is mapped as a key-value pair in `additional.fields`.
`programmatic_access_type`	`read_only_udm.additional.fields.[].key`, `read_only_udm.additional.fields.[].value.string_value`	The programmatic access type is mapped as a key-value pair in `additional.fields`.
`public_repo`	`read_only_udm.additional.fields.[].key`, `read_only_udm.additional.fields.[].value.string_value`, `read_only_udm.target.location.name`	The `public_repo` value determines the value mapped to a key-value pair in `additional.fields` and `target.location.name`. "false" maps to "PRIVATE", and other values map to "PUBLIC".
`query_string`	`read_only_udm.additional.fields.[].key`, `read_only_udm.additional.fields.[].value.string_value`	The query string is mapped as a key-value pair in `additional.fields`.
`rate_limit_remaining`	`read_only_udm.additional.fields.[].key`, `read_only_udm.additional.fields.[].value.string_value`	The rate limit remaining is mapped as a key-value pair in `additional.fields`.
`repo`	`read_only_udm.target.resource.name`	The repository is mapped to `target.resource.name`.
`repo_id`	`read_only_udm.additional.fields.[].key`, `read_only_udm.additional.fields.[].value.string_value`	The repository ID is mapped as a key-value pair in `additional.fields`.
`repository_public`	`read_only_udm.additional.fields.[].key`, `read_only_udm.additional.fields.[].value.string_value`	The repository public flag is mapped as a key-value pair in `additional.fields`.
`request_body`	`read_only_udm.additional.fields.[].key`, `read_only_udm.additional.fields.[].value.string_value`	The request body is mapped as a key-value pair in `additional.fields`.
`request_method`	`read_only_udm.network.http.method`	The request method is converted to uppercase and mapped to `network.http.method`.
`route`	`read_only_udm.additional.fields.[].key`, `read_only_udm.additional.fields.[].value.string_value`	The route is mapped as a key-value pair in `additional.fields`.
`status_code`	`read_only_udm.network.http.response_code`	The status code is converted to an integer and mapped to `network.http.response_code`.
`token_id`	`read_only_udm.additional.fields.[].key`, `read_only_udm.additional.fields.[].value.string_value`	The token ID is mapped as a key-value pair in `additional.fields`.
`token_scopes`	`read_only_udm.additional.fields.[].key`, `read_only_udm.additional.fields.[].value.string_value`	The token scopes are mapped as a key-value pair in `additional.fields`.
`transport_protocol_name`	`read_only_udm.network.application_protocol`	The transport protocol name is converted to uppercase and mapped to `network.application_protocol`.
`url_path`	`read_only_udm.target.url`	The URL path is mapped to `target.url`.
`user`	`read_only_udm.target.user.user_display_name`	The user is mapped to `target.user.user_display_name`.
`user_agent`	`read_only_udm.network.http.user_agent`, `read_only_udm.network.http.parsed_user_agent`	The user agent is mapped to `network.http.user_agent`, and its parsed version is mapped to `network.http.parsed_user_agent`.
`user_id`	`read_only_udm.target.user.userid`	The user ID is mapped to `target.user.userid`.
`workflow.name`	`read_only_udm.security_result.about.labels.[].key`, `read_only_udm.security_result.about.labels.[].value`	The workflow name is mapped as a label within the `security_result.about.labels` array.
`workflow_run.event`	`read_only_udm.additional.fields.[].key`, `read_only_udm.additional.fields.[].value.string_value`	The workflow run event is mapped as a key-value pair in `additional.fields`.
`workflow_run.head_branch`	`read_only_udm.security_result.about.labels.[].key`, `read_only_udm.security_result.about.labels.[].value`	The workflow run head branch is mapped as a label within the `security_result.about.labels` array.
`workflow_run.head_sha`	`read_only_udm.target.file.sha256`	The workflow run head SHA is mapped to `target.file.sha256`.
`workflow_run.id`	`read_only_udm.target.resource.attribute.labels.[].key`, `read_only_udm.target.resource.attribute.labels.[].value`	The workflow run ID is mapped as a label within the `target.resource.attribute.labels` array.
`workflow_run.workflow_id`	`read_only_udm.security_result.about.labels.[].key`, `read_only_udm.security_result.about.labels.[].value`	The workflow run workflow ID is mapped as a label within the `security_result.about.labels` array.
(Parser Logic)	`read_only_udm.metadata.event_type`	The event type is determined by the parser based on the presence and values of other fields, such as `data.team`, `action`, and `actor`. It defaults to `USER_RESOURCE_ACCESS` if no other specific condition is met.
(Parser Logic)	`read_only_udm.metadata.log_type`	The log type is hardcoded to "GITHUB".
(Parser Logic)	`read_only_udm.metadata.product_name`	The product name is hardcoded to "GITHUB".
(Parser Logic)	`read_only_udm.metadata.vendor_name`	The vendor name is hardcoded to "GITHUB".
(Parser Logic)	`read_only_udm.target.resource.resource_type`	The resource type is set to `STORAGE_OBJECT` when the `repo` field is present.
(Parser Logic)	`read_only_udm.target.resource.type`	The resource type is derived from the `action` field.
(Parser Logic)	`read_only_udm.security_result.action`	The security action (ALLOW/BLOCK) is derived from the `at` or `raw.at` fields if they are present and equal to "success" or not.
(Parser Logic)	`read_only_udm.security_result.severity`	The security severity is derived from the `level` or `SeverityText` fields if they are present. "INFO" is mapped to "INFORMATIONAL", "WARN" to "MEDIUM", and other values are mapped directly. For `git-daemon` logs, "fatal" is mapped to "CRITICAL".
(Parser Logic)	`read_only_udm.network.application_protocol`	The application protocol is derived from the `protocol`, `proto`, `babeld_proto`, `transport_protocol_name`, or `raw.protocol` fields, converting to uppercase and checking for "HTTP", "HTTPS", and "SSH".
(Parser Logic)	`read_only_udm.network.application_protocol_version`	The application protocol version is derived from the `http_version` field if present.
(Parser Logic)	`read_only_udm.network.http.parsed_user_agent`	The parsed user agent is derived from the `user_agent`, `column5`, `http_ua`, or `content` fields if present.
(Parser Logic)	`read_only_udm.network.received_bytes`	The received bytes are derived from the `column3`, `read_bytes`, `fs_recv`, or `uploaded_bytes` fields if present, converting to an unsigned integer.
(Parser Logic)	`read_only_udm.network.received_packets`	The received packets are derived from the `client_recv` field if present, converting to an integer.
(Parser Logic)	`read_only_udm.network.response_code`	The response code is derived from the `column2`, `status`, `status_code`, or `http_status` fields if present, converting to an integer.
(Parser Logic)	`read_only_udm.network.sent_bytes`	The sent bytes are derived from the `client_sent` field if present, converting to an unsigned integer.
(Parser Logic)	`read_only_udm.network.sent_packets`	The sent packets are derived from the `fs_sent` field if present, converting to an integer.
(Parser Logic)	`read_only_udm.network.session_duration.seconds`	The session duration in seconds is derived from the `time_duration` field if present, converting to an integer.
(Parser Logic)	`read_only_udm.target.file.full_path`	The target file full path is derived from the `path`, `git_dir`, or `dir` fields if present.
(Parser Logic)	`read_only_udm.target.file.sha1`	The target file SHA1 is derived from the `sha` field if present.
(Parser Logic)	`read_only_udm.target.hostname`	The target hostname is derived from the `client_hostname` field if present.
(Parser Logic)	`read_only_udm.target.ip`	The target IP is derived from the `x_real_ip`, `remote_address`, `client_ip`, or `remote_addr` fields if present.
(Parser Logic)	`read_only_udm.target.location.name`	The target location name is derived from the `datacenter` or `public_repo` fields if present.
(Parser Logic)	`read_only_udm.target.port`	The target port is derived from the `client_port`, `dstp`, or `remote_port` fields if present, converting to an integer.
(Parser Logic)	`read_only_udm.target.process.command_line`	The target process command line is derived from the `command`, `ssh_cmd`, `cmdline`, or `cmd` fields if present.
(Parser Logic)	`read_only_udm.target.process.parent_process.pid`	The target process parent process ID is derived from the `ppid` field if present, converting to a string.
(Parser Logic)	`read_only_udm.target.process.pid`	The target process ID is derived from the `pid` field if present, converting to a string.
(Parser Logic)	`read_only_udm.target.url`	The target URL is derived from the `url`, `http_url`, `request_url`, `http_request`, `dest_url`, `config.url`, or `url_path` fields if present. It can also be constructed from `path_info` and `query_string`.
(Parser Logic)	`read_only_udm.target.user.attribute.roles.[].name`	The target user roles are derived from the `actor_type` or `user_type` fields if present.
(Parser Logic)	`read_only_udm.target.user.email_addresses`	The target user email addresses are derived from the `external_identity_nameid` field if it is an email address.
(Parser Logic)	`read_only_udm.target.user.group_identifiers`	The target user group identifiers are derived from the `data.team` field if present.
(Parser Logic)	`read_only_udm.target.user.userid`	The target user ID is derived from the `userid`, `external_identity_nameid`, `current_user`, `member`, `user_id`, `actor_id`, or `raw.user_id` fields if present.
(Parser Logic)	`read_only_udm.target.user.user_display_name`	The target user display name is derived from the `login`, `user`, `external_identity_username`, `user_login`, or `raw.login` fields if present.
(Parser Logic)	`read_only_udm.principal.asset.asset_id`	The principal asset ID is derived from the `guid` field, prefixed with "GUID: ".
(Parser Logic)	`read_only_udm.principal.hostname`	The principal hostname is derived from the `hostname`, `request_host`, `host`, or `principal_hostname` fields if present.
(Parser Logic)	`read_only_udm.principal.ip`	The principal IP is derived from the `column6`, `ip`, `x_real_ip`, `remote_address`, `raw.ip`, `actor_ip`, or `log:source:ip` fields if present.
(Parser Logic)	`read_only_udm.principal.location.country_or_region`	The principal location country or region is derived from the `actor_location.country_code` field if present.
(Parser Logic)	`read_only_udm.principal.port`	The principal port is derived from the `srcp` or `log:source:port` fields if present, converting to an integer.
(Parser Logic)	`read_only_udm.principal.resource.name`	The principal resource name is derived from the `service.name` field if present.
(Parser Logic)	`read_only_udm.principal.resource.product_object_id`	The principal resource product object ID is derived from the `service.instance.id` or `subject_id` fields if present.
(Parser Logic)	`read_only_udm.principal.url`	The principal URL is derived from the `repo` field if present.
(Parser Logic)	`read_only_udm.principal.user.userid`	The principal user ID is derived from the `repository_owner_id` field if present, converting to a string.
(Parser Logic)	`read_only_udm.principal.user.user_display_name`	The principal user display name is derived from the `repo_name` field if present.
(Parser Logic)	`read_only_udm.intermediary.hostname`	The intermediary hostname is derived from the `hostname` field if present.
(Parser Logic)	`read_only_udm.intermediary.ip`	The intermediary IP is derived from the `x_forwarded_for` or `xff_ip` fields if present.
(Parser Logic)	`read_only_udm.metadata.description`	The metadata description is derived from the `content`, `at`, or `raw.message` fields if present.
(Parser Logic)	`read_only_udm.metadata.product_event_type`	The product event type is derived from the `process_type` or `action` fields if present.
(Parser Logic)	`read_only_udm.metadata.product_log_id`	The product log ID is derived from the `github_request_id`, `id`, `request_id`, or `raw.request_id` fields if present.
(Parser Logic)	`read_only_udm.metadata.product_version`	The product version is derived from the `version` field if present.
(Parser Logic)	`read_only_udm.security_result.about.labels.[].key`, `read_only_udm.security_result.about.labels.[].value`	Various labels are added to the `security_result.about.labels` array based on the presence and values of fields like `data.events`, `data.workflow_id`, `workflow.name`, `data.head_branch`, `data.trigger_id`, `data.workflow_run_id`, and `data.event`.
(Parser Logic)	`read_only_udm.security_result.description`	The security result description is derived from the `auth_status`, `data_msg`, `msg`, `Body`, `desc`, or `content` fields if present.
(Parser Logic)	`read_only_udm.security_result.severity_details`	The security result severity details are derived from the `userid` field if present.
(Parser Logic)	`read_only_udm.security_result.summary`	The security result summary is derived from the `creason`, `action`, or `reason` fields if present.
(Parser Logic)	`read_only_udm.network.http.referral_url`	The HTTP referral URL is derived from the `column4` or `referer` fields if present.
(Parser Logic)	`read_only_udm.network.http.user_agent`	The HTTP user agent is derived from the `column5`, `http_ua`, or `user_agent` fields if present.
(Parser Logic)	`read_only_udm.network.sent_bytes`	The network sent bytes are derived from the `client_sent` or `fs_sent` fields if present, converting to an unsigned integer.
(Parser Logic)	`read_only_udm.additional.fields.[].key`, `read_only_udm.additional.fields.[].value.string_value`	Many fields are conditionally mapped as key-value pairs in the `additional.fields` array, including `auth_fingerprint`, `controller`, `oauth_access_id`, `oauth_application_id`, `oauth_scopes`, `route`, `worker_request_count`, `repo`, `repo_visibility`, `auth`, `content_length`, `elapsed`, `catalog_service`, `action`, `method`, `failure_type`, `failure_reason`, `hashed_token`, `token_type`, `gitauth_version`, `enterprise.name`, `programmatic_access_type`, `token_id`, `token_scopes`, `integration`, `query_string`, `rate_limit_remaining`, `request_body`, `org_id`, `repo_id`, `repository_public`, `raw.method`, `raw.failure_type`, `raw.failure_reason`, `raw.from`, `raw.raw_login`, `device_cookie`, `operation`, `operation_type`, `category_type`, `business`, `note`, `read`, `pre_perform_allocation_count`, `backend`, `queue`, `class`, `success`, `env`, `job_id`, and `job`. The specific logic for each field is detailed in the parser code.
(Parser Logic)	`read_only_udm.security_result.detection_fields.[].key`, `read_only_udm.security_result.detection_fields.[].value`	The fields `controller_action`, `two_factor`, `delay_time`, `queued_time`, `delivery_build`, `delivery_send`, and `stages` are conditionally mapped to the `security_result.detection_fields` array.
(Parser Logic)	`read_only_udm.target.resource.attribute.labels.[].key`, `read_only_udm.target.resource.attribute.labels.[].value`	The fields `hook_id`, `job_name`, `job_workflow_ref`, `runner_group_id`, `runner_group_name`, `runner_name`, `runner_id`, `workflow_run_id`, and `business_id` are conditionally mapped as labels within the `target.resource.attribute.labels` array.
(Parser Logic)	`read_only_udm.metadata.event_timestamp`	If the timestamp is not directly available in a supported format, the parser attempts to extract and convert it from various fields, including `ts`, `now`, `created_at`, `Timestamp`, `time`, and `raw.now`.
(Parser Logic)	`read_only_udm.network.http.method`	The HTTP method is derived from the `method`, `column1`, `request_method`, `http_method`, or `raw.method` fields, converting to uppercase.
(Parser Logic)	`read_only_udm.target.application`	The target application is derived from the `process`, `program`, or `app` fields if present.

Changes

2023-12-18

Bug-Fix:
If "process_type" is "github_production", added a Grok pattern to extract "kv_data".
If "process_type" is "github_production", mapped "user" to "target.user.user_display_name".
If "process_type" is "github_production", mapped "user_id" to "target.user.userid".
Mapped "referrer" to "network.http.referral_url".
Mapped "user_session_id" to "network.session_id".
Mapped "ip" to "principal.ip".
Mapped "from" to "additional.fields".
Mapped "request_category" to "additional.fields".
Mapped "device_cookie" to "additional.fields".
Mapped "operation_type" to "additional.fields".
Mapped "category_type" to "additional.fields".
Mapped "note" to "additional.fields".
Mapped "read" to "additional.fields".
Mapped "pre_perform_allocation_count" to "additional.fields".
Mapped "backend" to "additional.fields".
Mapped "queue" to "additional.fields".
Mapped "class" to "additional.fields".
Mapped "success" to "additional.fields".
Mapped "controller_action" to "security_result.detection_fields".
Mapped "two_factor" to "security_result.detection_fields".

2023-10-25

When "public_repo" is "false", set "target.location.name" to "PRIVATE", else set to "PUBLIC".

2023-10-11

Mapped "user_agent" to "network.http.user_agent" and "network.http.parsed_user_agent".
Mapped "request_method" to "network.http.method".
Mapped "application_name" to "target.application".
Mapped "status_code" to "network.http.response_code".
Mapped "url_path" to "target.url".
Mapped "user_id" to "target.userid".
Mapped "transport_protocol_name" to "network.application_protocol".
Mapped "raw.now" to "metadata.event_timestamp".
Mapped "raw.ip" to "principal.ip".
Mapped "raw.request_id" to "metadata.product_log_id".
Mapped "raw.repo" to "target.url".
Mapped "raw.action" to "security_result.summary".
Mapped "raw.protocol" to "network.application_protocol".
Mapped "raw.message" to "metadata.description".
Mapped "raw.at" to "security_result.action".
Mapped "raw.login" to "target.user_display_name".
Mapped "raw.user_id" to "target.userid".
Mapped "raw.failure_reason", "raw.failure_type", "raw.raw_login" and "raw.from" to "additional.fields".
Mapped "programmatic_access_type", "actor_id", "token_id", "token_scopes", "integration", "query_string", "rate_limit_remaining", "request_body", "route", "business", "org_id", "repo_id", "public_repo", "_document_id", "operation_type", "repository_public" to "additional.fields".

2023-07-31

Bug-Fix:
Added "on_error" to Grok patterns.
Mapped "workflow_run.id" to "target.resource.attribute.labels".
Mapped "workflow_run.event" to "additional.fields".
Mapped "workflow_run.actor.login" to "principal.user.userid".
Mapped "workflow_run.head_branch" to "security_result.about.labels".
Mapped "workflow_run.head_sha" to "target.file.sha256".
Mapped "enterprise.name" to "additional.fields".
Mapped "workflow.name" to "security_result.about.labels".
Mapped "workflow_run.workflow_id" to "security_result.about.labels".

2023-06-22

Added support for the "github_auth", "haproxy", "github_access", "github_unicorn", "github_production", "hookshot-go", "babeld", "github_gitauth", "babeld2hydro", "authzd", "gitrpcd", "agent", "git-daemon", "github_resqued", "sudo", "systemd" and "github_audit" syslog log formats.

2023-06-09

Enhancement-
Mapped "external_identity_nameid" to "target.user.email_addresses" if in email format.
Fetch the username from "external_identity_nameid" and map to "target.user.userid".

2023-01-13

Enhancement-
Mapped "actor_ip" to" "principal.ip".
Mapped "hashed_token" to "network.session_id".
Mapped "external_identity_nameid" to "target.user.userid "
Mapped "external_identity_username" to target.user.user_display_name".

2022-11-28

Enhancement - Mapped "config.url" to "target.url".

2022-07-07

Enhancement - The newly ingested JSON format logs having action "git.clone","git.push" and "workflows.prepared_workflow_job" have been handled and parsed.
'job_name' mapped to 'target.resource.attribute.labels'.
'job_workflow_ref' mapped to 'target.resource.attribute.labels'.
'runner_group_id' mapped to 'target.resource.attribute.labels'.
'runner_group_name' mapped to 'target.resource.attribute.labels'.
'runner_name' mapped to 'target.resource.attribute.labels'.
'runner_id' mapped to 'target.resource.attribute.labels'.
'workflow_run_id' mapped to 'target.resource.attribute.labels'.
'actor_location.country_code' mapped to 'principal.location.country_or_region'.