{ "name": "github", "title": "GitHub", "version": "2.22.1", "release": "ga", "description": "Collect logs from GitHub with Elastic Agent.", "type": "integration", "download": "/epr/github/github-2.22.1.zip", "path": "/package/github/2.22.1", "icons": [ { "src": "/img/github.svg", "path": "/package/github/2.22.1/img/github.svg", "title": "GitHub", "size": "1024x1024", "type": "image/svg+xml" } ], "conditions": { "kibana": { "version": "^8.19.10 || ~9.1.10 || ~9.2.4 || ^9.3.0" } }, "owner": { "type": "elastic", "github": "elastic/security-service-integrations" }, "categories": [ "security", "productivity_security" ], "signature_path": "/epr/github/github-2.22.1.zip.sig", "format_version": "3.4.0", "readme": "/package/github/2.22.1/docs/README.md", "license": "basic", "screenshots": [ { "src": "/img/github-audit-dashboard.png", "path": "/package/github/2.22.1/img/github-audit-dashboard.png", "title": "GitHub audit overview", "size": "3000x1788", "type": "image/png" }, { "src": "/img/github-user-dashboard.png", "path": "/package/github/2.22.1/img/github-user-dashboard.png", "title": "GitHub user overview", "size": "2998x1631", "type": "image/png" }, { "src": "/img/github-security_advisories-dashboard.png", "path": "/package/github/2.22.1/img/github-security_advisories-dashboard.png", "title": "GitHub security advisories overview", "size": "1594x1088", "type": "image/png" }, { "src": "/img/github-advance_security-dashboard.png", "path": "/package/github/2.22.1/img/github-advance_security-dashboard.png", "title": "GitHub advance security overview", "size": "600x600", "type": "image/png" }, { "src": "/img/github-code_scanning-dashboard.png", "path": "/package/github/2.22.1/img/github-code_scanning-dashboard.png", "title": "GitHub code scanning overview", "size": "600x600", "type": "image/png" }, { "src": "/img/github-dependabot-dashboard.png", "path": "/package/github/2.22.1/img/github-dependabot-dashboard.png", "title": "GitHub dependabot overview", "size": "600x600", "type": "image/png" }, { "src": "/img/github-issues-dashboard.png", "path": "/package/github/2.22.1/img/github-issues-dashboard.png", "title": "GitHub issues overview", "size": "600x600", "type": "image/png" }, { "src": "/img/github-secret_scanning-dashboard.png", "path": "/package/github/2.22.1/img/github-secret_scanning-dashboard.png", "title": "GitHub secret scanning overview", "size": "600x600", "type": "image/png" } ], "assets": [ "/package/github/2.22.1/LICENSE.txt", "/package/github/2.22.1/changelog.yml", "/package/github/2.22.1/manifest.yml", "/package/github/2.22.1/validation.yml", "/package/github/2.22.1/docs/README.md", "/package/github/2.22.1/img/github-advance_security-dashboard.png", "/package/github/2.22.1/img/github-audit-dashboard.png", "/package/github/2.22.1/img/github-code_scanning-dashboard.png", "/package/github/2.22.1/img/github-dependabot-dashboard.png", "/package/github/2.22.1/img/github-issues-dashboard.png", "/package/github/2.22.1/img/github-secret_scanning-dashboard.png", "/package/github/2.22.1/img/github-security_advisories-dashboard.png", "/package/github/2.22.1/img/github-user-dashboard.png", "/package/github/2.22.1/img/github.svg", "/package/github/2.22.1/kibana/tags.yml", "/package/github/2.22.1/data_stream/audit/manifest.yml", "/package/github/2.22.1/data_stream/audit/sample_event.json", "/package/github/2.22.1/data_stream/code_scanning/manifest.yml", "/package/github/2.22.1/data_stream/code_scanning/sample_event.json", "/package/github/2.22.1/data_stream/dependabot/manifest.yml", "/package/github/2.22.1/data_stream/dependabot/sample_event.json", "/package/github/2.22.1/data_stream/issues/manifest.yml", "/package/github/2.22.1/data_stream/issues/sample_event.json", "/package/github/2.22.1/data_stream/secret_scanning/manifest.yml", "/package/github/2.22.1/data_stream/secret_scanning/sample_event.json", "/package/github/2.22.1/data_stream/security_advisories/manifest.yml", "/package/github/2.22.1/data_stream/security_advisories/sample_event.json", "/package/github/2.22.1/kibana/dashboard/github-4da91aa0-12fc-11ed-af77-016e1a977d80.json", "/package/github/2.22.1/kibana/dashboard/github-591d69e0-17b6-11ed-809a-7b4be950fe9c.json", "/package/github/2.22.1/kibana/dashboard/github-6197be80-220c-11ed-88c4-e3caca48250a.json", "/package/github/2.22.1/kibana/dashboard/github-6a6d7c40-17ab-11ed-809a-7b4be950fe9c.json", "/package/github/2.22.1/kibana/dashboard/github-8bfd8310-205c-11ec-8b10-11a4c5e322a0.json", "/package/github/2.22.1/kibana/dashboard/github-dcee84c0-2059-11ec-8b10-11a4c5e322a0.json", "/package/github/2.22.1/kibana/dashboard/github-e6726e8d-0a94-4917-978a-b5a762b39ee5.json", "/package/github/2.22.1/kibana/dashboard/github-f0104680-ae18-11ed-83fa-df5d96a45724.json", "/package/github/2.22.1/kibana/search/github-173f1050-20ae-11ec-8b10-11a4c5e322a0.json", "/package/github/2.22.1/kibana/search/github-8c37be30-872a-46e9-b530-73f0f2e8f5c0.json", "/package/github/2.22.1/kibana/search/github-a5f3d9b0-20af-11ec-8b10-11a4c5e322a0.json", "/package/github/2.22.1/data_stream/audit/fields/agent.yml", "/package/github/2.22.1/data_stream/audit/fields/base-fields.yml", "/package/github/2.22.1/data_stream/audit/fields/beats.yml", "/package/github/2.22.1/data_stream/audit/fields/fields.yml", "/package/github/2.22.1/data_stream/code_scanning/fields/agent.yml", "/package/github/2.22.1/data_stream/code_scanning/fields/base-fields.yml", "/package/github/2.22.1/data_stream/code_scanning/fields/ecs.yml", "/package/github/2.22.1/data_stream/code_scanning/fields/fields.yml", "/package/github/2.22.1/data_stream/code_scanning/fields/is-transform-source-true.yml", "/package/github/2.22.1/data_stream/code_scanning/fields/package-fields.yml", "/package/github/2.22.1/data_stream/dependabot/fields/agent.yml", "/package/github/2.22.1/data_stream/dependabot/fields/base-fields.yml", "/package/github/2.22.1/data_stream/dependabot/fields/ecs.yml", "/package/github/2.22.1/data_stream/dependabot/fields/fields.yml", "/package/github/2.22.1/data_stream/dependabot/fields/is-transform-source-true.yml", "/package/github/2.22.1/data_stream/dependabot/fields/package-fields.yml", "/package/github/2.22.1/data_stream/issues/fields/agent.yml", "/package/github/2.22.1/data_stream/issues/fields/base-fields.yml", "/package/github/2.22.1/data_stream/issues/fields/ecs.yml", "/package/github/2.22.1/data_stream/issues/fields/fields.yml", "/package/github/2.22.1/data_stream/issues/fields/is-transform-source-true.yml", "/package/github/2.22.1/data_stream/issues/fields/package-fields.yml", "/package/github/2.22.1/data_stream/secret_scanning/fields/agent.yml", "/package/github/2.22.1/data_stream/secret_scanning/fields/base-fields.yml", "/package/github/2.22.1/data_stream/secret_scanning/fields/ecs.yml", "/package/github/2.22.1/data_stream/secret_scanning/fields/fields.yml", "/package/github/2.22.1/data_stream/secret_scanning/fields/is-transform-source-true.yml", "/package/github/2.22.1/data_stream/secret_scanning/fields/package-fields.yml", "/package/github/2.22.1/data_stream/security_advisories/fields/base-fields.yml", "/package/github/2.22.1/data_stream/security_advisories/fields/beats.yml", "/package/github/2.22.1/data_stream/security_advisories/fields/fields.yml", "/package/github/2.22.1/elasticsearch/transform/latest_code_scanning/manifest.yml", "/package/github/2.22.1/elasticsearch/transform/latest_code_scanning/transform.yml", "/package/github/2.22.1/elasticsearch/transform/latest_dependabot/manifest.yml", "/package/github/2.22.1/elasticsearch/transform/latest_dependabot/transform.yml", "/package/github/2.22.1/elasticsearch/transform/latest_issues/manifest.yml", "/package/github/2.22.1/elasticsearch/transform/latest_issues/transform.yml", "/package/github/2.22.1/elasticsearch/transform/latest_secret_scanning/manifest.yml", "/package/github/2.22.1/elasticsearch/transform/latest_secret_scanning/transform.yml", "/package/github/2.22.1/data_stream/audit/agent/stream/abs.yml.hbs", "/package/github/2.22.1/data_stream/audit/agent/stream/aws-s3.yml.hbs", "/package/github/2.22.1/data_stream/audit/agent/stream/azure-eventhub.yml.hbs", "/package/github/2.22.1/data_stream/audit/agent/stream/gcs.yml.hbs", "/package/github/2.22.1/data_stream/audit/agent/stream/httpjson.yml.hbs", "/package/github/2.22.1/data_stream/audit/elasticsearch/ingest_pipeline/default.yml", "/package/github/2.22.1/data_stream/code_scanning/agent/stream/httpjson.yml.hbs", "/package/github/2.22.1/data_stream/code_scanning/elasticsearch/ingest_pipeline/default.yml", "/package/github/2.22.1/data_stream/dependabot/agent/stream/httpjson.yml.hbs", "/package/github/2.22.1/data_stream/dependabot/elasticsearch/ingest_pipeline/default.yml", "/package/github/2.22.1/data_stream/issues/agent/stream/httpjson.yml.hbs", "/package/github/2.22.1/data_stream/issues/elasticsearch/ingest_pipeline/default.yml", "/package/github/2.22.1/data_stream/secret_scanning/agent/stream/httpjson.yml.hbs", "/package/github/2.22.1/data_stream/secret_scanning/elasticsearch/ingest_pipeline/default.yml", "/package/github/2.22.1/data_stream/security_advisories/agent/stream/cel.yml.hbs", "/package/github/2.22.1/data_stream/security_advisories/elasticsearch/ingest_pipeline/default.yml", "/package/github/2.22.1/elasticsearch/transform/latest_code_scanning/fields/agent.yml", "/package/github/2.22.1/elasticsearch/transform/latest_code_scanning/fields/base-fields.yml", "/package/github/2.22.1/elasticsearch/transform/latest_code_scanning/fields/ecs.yml", "/package/github/2.22.1/elasticsearch/transform/latest_code_scanning/fields/fields.yml", "/package/github/2.22.1/elasticsearch/transform/latest_code_scanning/fields/is-transform-source-false.yml", "/package/github/2.22.1/elasticsearch/transform/latest_code_scanning/fields/package-fields.yml", "/package/github/2.22.1/elasticsearch/transform/latest_dependabot/fields/agent.yml", "/package/github/2.22.1/elasticsearch/transform/latest_dependabot/fields/base-fields.yml", "/package/github/2.22.1/elasticsearch/transform/latest_dependabot/fields/ecs.yml", "/package/github/2.22.1/elasticsearch/transform/latest_dependabot/fields/fields.yml", "/package/github/2.22.1/elasticsearch/transform/latest_dependabot/fields/is-transform-source-false.yml", "/package/github/2.22.1/elasticsearch/transform/latest_dependabot/fields/package-fields.yml", "/package/github/2.22.1/elasticsearch/transform/latest_issues/fields/agent.yml", "/package/github/2.22.1/elasticsearch/transform/latest_issues/fields/base-fields.yml", "/package/github/2.22.1/elasticsearch/transform/latest_issues/fields/ecs.yml", "/package/github/2.22.1/elasticsearch/transform/latest_issues/fields/fields.yml", "/package/github/2.22.1/elasticsearch/transform/latest_issues/fields/is-transform-source-false.yml", "/package/github/2.22.1/elasticsearch/transform/latest_issues/fields/package-fields.yml", "/package/github/2.22.1/elasticsearch/transform/latest_secret_scanning/fields/agent.yml", "/package/github/2.22.1/elasticsearch/transform/latest_secret_scanning/fields/base-fields.yml", "/package/github/2.22.1/elasticsearch/transform/latest_secret_scanning/fields/ecs.yml", "/package/github/2.22.1/elasticsearch/transform/latest_secret_scanning/fields/fields.yml", "/package/github/2.22.1/elasticsearch/transform/latest_secret_scanning/fields/is-transform-source-false.yml", "/package/github/2.22.1/elasticsearch/transform/latest_secret_scanning/fields/package-fields.yml" ], "policy_templates": [ { "name": "github", "title": "GitHub logs", "description": "Collect logs from GitHub", "inputs": [ { "type": "aws-s3", "title": "Collect logs from GitHub using AWS S3 or AWS SQS", "description": "Collecting logs from GitHub using AWS S3 or AWS SQS." }, { "type": "httpjson", "vars": [ { "name": "enable_request_tracer", "type": "bool", "title": "Enable request tracing", "description": "The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-httpjson.html#_request_tracer_filename) for details.", "multi": false, "required": false, "show_user": false } ], "title": "Collect GitHub logs via API", "description": "Collecting logs from GitHub via API" }, { "type": "azure-eventhub", "title": "Collect GitHub logs from Azure Event Hub", "description": "Collect GitHub logs from Azure Event Hub" }, { "type": "azure-blob-storage", "title": "Collect GitHub logs from Azure Blob Storage", "description": "Collect GitHub logs from Azure Blob Storage." }, { "type": "gcs", "title": "Collect GitHub logs from Google Cloud Storage", "description": "Collect GitHub logs from Google Cloud Storage." }, { "type": "cel", "vars": [ { "name": "proxy_url", "type": "text", "title": "Proxy URL", "description": "URL to proxy connections in the form of http[s]://:@:. Please ensure your username and password are in URL encoded format.", "multi": false, "required": false, "show_user": false }, { "name": "ssl", "type": "yaml", "title": "SSL Configuration", "description": "SSL configuration options. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/configuration-ssl.html#ssl-common-config) for details.", "multi": false, "required": false, "show_user": false, "default": "#certificate_authorities:\n# - |\n# -----BEGIN CERTIFICATE-----\n# MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF\n# ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2\n# MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB\n# BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n\n# fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl\n# 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t\n# /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP\n# PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41\n# CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O\n# BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux\n# 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D\n# 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw\n# 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA\n# H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu\n# 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0\n# yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk\n# sxSmbIUfc2SGJGCJD4I=\n# -----END CERTIFICATE-----\n" } ], "title": "Collect GitHub Security Advisories data via API", "description": "Collect GitHub Security Advisories data via API." } ], "multiple": true } ], "data_streams": [ { "type": "logs", "dataset": "github.audit", "title": "GitHub Audit Logs", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "httpjson", "vars": [ { "name": "access_token", "type": "password", "title": "Personal Access Token", "description": "the GitHub Personal Access Token. Requires `read:audit_log` scope", "multi": false, "required": true, "show_user": true }, { "name": "organization", "type": "text", "title": "Organization Name", "description": "The GitHub organization name/ID. Either `Organization Name` or `Enterprise Name` must be set.", "multi": false, "required": false, "show_user": true }, { "name": "enterprise", "type": "text", "title": "Enterprise Name", "description": "The GitHub enterprise name/ID. Either `Organization Name` or `Enterprise Name` must be set.", "multi": false, "required": false, "show_user": true }, { "name": "http_client_timeout", "type": "text", "title": "HTTP Client Timeout", "description": "Duration before declaring that the HTTP client connection has timed out. Valid time units are ns, us, ms, s, m, h.", "multi": false, "required": false, "show_user": true, "default": "60s" }, { "name": "interval", "type": "text", "title": "Interval", "description": "Interval at which the logs will be pulled. The value must be between 2m and 1h. Supported units for this parameter are h/m/s.", "multi": false, "required": true, "show_user": true, "default": "1h" }, { "name": "initial_interval", "type": "text", "title": "Initial Interval", "description": "Initial interval to poll for events. Default is 730 hours (30 days). Supported units for this parameter are h/m/s.", "multi": false, "required": true, "show_user": true, "default": "730h" }, { "name": "api_url", "type": "text", "title": "API URL.", "description": "The API URL without the path.", "multi": false, "required": true, "show_user": false, "default": "https://api.github.com" }, { "name": "ssl", "type": "yaml", "title": "SSL Configuration", "description": "SSL configuration options. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/configuration-ssl.html#ssl-common-config) for details.", "multi": false, "required": false, "show_user": false }, { "name": "proxy_url", "type": "text", "title": "Proxy URL", "description": "URL to proxy connections in the form of http\\[s\\]://:@:", "multi": false, "required": false, "show_user": false }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": true, "default": [ "forwarded", "github-audit" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "\"Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. \\nThis executes in the agent before the logs are parsed. \\nSee [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.\\n\"\n", "multi": false, "required": false, "show_user": false } ], "template_path": "httpjson.yml.hbs", "title": "GitHub Audit Logs", "description": "Collect GitHub audit logs via the API", "enabled": false, "ingestion_method": "API" }, { "input": "azure-eventhub", "vars": [ { "name": "eventhub", "type": "text", "title": "Event Hub", "description": "Elastic recommends using one event hub for each integration. Visit [Create an event hub](https://docs.elastic.co/integrations/azure#create-an-event-hub) to learn more. Use event hub names up to 30 characters long to avoid compatibility issues.", "multi": false, "required": true, "show_user": true }, { "name": "consumer_group", "type": "text", "title": "Consumer Group", "description": "We recommend using a dedicated consumer group for the azure input. Reusing consumer groups among non-related consumers can cause unexpected behavior and possibly lost events.", "multi": false, "required": true, "show_user": true, "default": "$Default" }, { "name": "auth_type", "type": "select", "title": "Authentication Type", "description": "Authentication method to use for Event Hub and Storage Account. When set to **Connection String** or left blank: **Connection String** and **Storage Account Key** are required. When set to **Client Secret**: Microsoft Entra ID client secret authentication is used, requiring **Tenant ID**, **Client ID**, **Client Secret**, and **Event Hub Namespace**. Note: The same authentication type applies to both Event Hub and Storage Account for security consistency.", "multi": false, "required": true, "show_user": true, "default": "connection_string" }, { "name": "connection_string", "type": "password", "title": "Connection String", "description": "(Required when **Authentication Type** is **Connection String** or left blank) The connection string required to communicate with Event Hubs. See [Get an Event Hubs connection string](https://docs.microsoft.com/en-us/azure/event-hubs/event-hubs-get-connection-string) to learn more.", "multi": false, "required": false, "show_user": true }, { "name": "storage_account_key", "type": "password", "title": "Storage Account Key", "description": "(Required when **Authentication Type** is **Connection String** or left blank) The storage account key used to authorize access to data in your storage account. Not used when **Authentication Type** is **Client Secret**; client secret authentication is used for storage instead.", "multi": false, "required": false, "show_user": true }, { "name": "storage_account", "type": "text", "title": "Storage Account", "description": "The name of the storage account where the consumer group's state/offsets will be stored and updated.", "multi": false, "required": true, "show_user": true }, { "name": "eventhub_namespace", "type": "text", "title": "Event Hub Namespace", "description": "(Required when **Authentication Type** is **Client Secret**) Fully qualified Event Hub namespace (e.g., namespace.servicebus.windows.net). Do not use the short namespace name; use the complete FQDN.", "multi": false, "required": false, "show_user": true }, { "name": "tenant_id", "type": "text", "title": "Tenant ID", "description": "(Required when **Authentication Type** is **Client Secret**) Microsoft Entra ID tenant ID. This is the directory/tenant where your Microsoft Entra ID application is registered.", "multi": false, "required": false, "show_user": true }, { "name": "client_id", "type": "text", "title": "Client ID", "description": "(Required when **Authentication Type** is **Client Secret**) Microsoft Entra ID application (client) ID. The service principal must have 'Azure Event Hubs Data Receiver' role on the Event Hub and 'Storage Blob Data Contributor' role on the Storage Account.", "multi": false, "required": false, "show_user": true }, { "name": "client_secret", "type": "password", "title": "Client Secret", "description": "(Required when **Authentication Type** is **Client Secret**) Microsoft Entra ID application client secret. Generate this secret in your Microsoft Entra ID app registration.", "multi": false, "required": false, "show_user": true }, { "name": "authority_host", "type": "text", "title": "Authority Host", "description": "(Optional when **Authentication Type** is **Client Secret**) Microsoft Entra ID authority endpoint. Defaults to https://login.microsoftonline.com (Azure Public Cloud). Change for other Azure environments: Azure Government (https://login.microsoftonline.us), Azure China (https://login.chinacloudapi.cn), or Azure Germany (https://login.microsoftonline.de).", "multi": false, "required": false, "show_user": false, "default": "https://login.microsoftonline.com" }, { "name": "storage_account_container", "type": "text", "title": "Storage Account Container", "description": "The storage account container where the integration stores the checkpoint data for the consumer group. It is an advanced option to use with extreme care. You MUST use a dedicated storage account container for each Azure log type. DO NOT REUSE the same container name for more than one Azure log type. See [Container Names](https://docs.microsoft.com/en-us/rest/api/storageservices/naming-and-referencing-containers--blobs--and-metadata#container-names) for details on naming rules from Microsoft. The integration generates a default container name if not specified.", "multi": false, "required": false, "show_user": false }, { "name": "resource_manager_endpoint", "type": "text", "title": "Resource Manager Endpoint", "description": "By default we are using the azure public environment, to override, users can provide a specific resource manager endpoint in order to use a different azure environment.", "multi": false, "required": false, "show_user": false }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "github-audit" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`.", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "preserve_duplicate_custom_fields", "type": "bool", "title": "Preserve duplicate custom fields", "description": "Preserve github.audit fields that were copied to Elastic Common Schema (ECS) fields.", "multi": false, "required": true, "show_user": false, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.", "multi": false, "required": false, "show_user": false } ], "template_path": "azure-eventhub.yml.hbs", "title": "GitHub Audit Logs from Azure Event Hub", "description": "Collect GitHub audit logs from Azure Event Hub", "enabled": false, "ingestion_method": "Azure Event Hub" }, { "input": "aws-s3", "vars": [ { "name": "collect_s3_logs", "type": "bool", "title": "Collect logs via S3 Bucket", "description": "To collect logs via S3 bucket enable the toggle switch. By default, it will collect logs via SQS Queue.", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "access_key_id", "type": "password", "title": "Access Key ID", "description": "First part of access key. This parameter along with the secret_access_key parameter is required if we are not providing shared_credential_file.", "multi": false, "required": false, "show_user": true }, { "name": "secret_access_key", "type": "password", "title": "Secret Access Key", "description": "Second part of access key. This parameter along with the access_key_id parameter is required if we are not providing shared_credential_file.", "multi": false, "required": false, "show_user": true }, { "name": "region", "type": "text", "title": "[SQS] Region", "description": "The name of the AWS region of the end point. If this option is given it takes precedence over the region name obtained from the queue_url value.", "multi": false, "required": false, "show_user": true }, { "name": "session_token", "type": "password", "title": "Session Token", "description": "Required when using temporary security credentials.", "multi": false, "required": false, "show_user": true }, { "name": "shared_credential_file", "type": "text", "title": "Shared Credential File", "description": "Directory of the shared credentials file. This parameter is required if we are not providing value for the parameters - secret_access_key and access_key_id.", "multi": false, "required": false, "show_user": false }, { "name": "credential_profile_name", "type": "text", "title": "Credential Profile Name", "description": "Profile name in shared credentials file.", "multi": false, "required": false, "show_user": false }, { "name": "role_arn", "type": "text", "title": "Role ARN", "description": "AWS IAM Role to assume.", "multi": false, "required": false, "show_user": false }, { "name": "default_region", "type": "text", "title": "Default AWS Region", "description": "Default region to query if no other region is set. Most AWS services offer a regional endpoint that can be used to make requests. Some services, such as IAM, do not support regions. If a region is not provided by any other way (environment variable, credential or instance profile), the value set here will be used.", "multi": false, "required": false, "show_user": false, "default": "" }, { "name": "endpoint", "type": "text", "title": "Endpoint", "description": "URL of the entry point for an AWS web service.", "multi": false, "required": false, "show_user": false }, { "name": "fips_enabled", "type": "bool", "title": "FIPS Enabled", "description": "Enabling this option changes the service name from `s3` to `s3-fips` for connecting to the correct service endpoint.", "multi": false, "required": false, "show_user": false, "default": false }, { "name": "bucket_arn", "type": "text", "title": "[S3] Bucket ARN", "description": "ARN of the AWS S3 bucket that will be polled for list operation. It is a required parameter for collecting logs via the AWS S3.", "multi": false, "required": false, "show_user": true }, { "name": "bucket_list_prefix", "type": "text", "title": "[S3] Bucket Prefix", "description": "Prefix to apply for the list request to the S3 bucket.", "multi": false, "required": false, "show_user": true }, { "name": "interval", "type": "text", "title": "[S3] Interval", "description": "Listing of the S3 bucket will be polled according to the time interval defined by bucket_list_interval config. Default value is 120 secs. Supported units for this parameter are h/m/s.", "multi": false, "required": false, "show_user": true, "default": "120s" }, { "name": "number_of_workers", "type": "integer", "title": "Number of Workers", "description": "Number of workers that will process the S3 or SQS objects listed.", "multi": false, "required": false, "show_user": true, "default": 5 }, { "name": "queue_url", "type": "text", "title": "[SQS] Queue URL", "description": "URL of the AWS SQS queue that messages will be received from. It is a required parameter for collecting logs via the AWS SQS.", "multi": false, "required": false, "show_user": true }, { "name": "visibility_timeout", "type": "text", "title": "[SQS] Visibility Timeout", "description": "The duration that the received messages are hidden from subsequent retrieve requests after being retrieved by a ReceiveMessage request. The maximum is 12 hours. Supported units for this parameter are h/m/s.", "multi": false, "required": false, "show_user": true, "default": "300s" }, { "name": "api_timeout", "type": "text", "title": "[SQS] API Timeout", "description": "The maximum duration of AWS API can take. The maximum is half of the visibility timeout value. Supported units for this parameter are h/m/s.", "multi": false, "required": false, "show_user": true, "default": "120s" }, { "name": "file_selectors", "type": "yaml", "title": "[SQS] File Selectors", "description": "If the SQS queue will have events that correspond to files that this integration shouldn’t process, file_selectors can be used to limit the files that are downloaded. This is a list of selectors which are made up of regex and expand_event_list_from_field options. The regex should match the S3 object key in the SQS message, and the optional expand_event_list_from_field is the same as the global setting. If file_selectors is given, then any global expand_event_list_from_field value is ignored in favor of the ones specified in the file_selectors. Regexes use [RE2 syntax](https://pkg.go.dev/regexp/syntax). Files that do not match one of the regexes will not be processed.", "multi": false, "required": false, "show_user": false }, { "name": "external_id", "type": "text", "title": "External ID", "description": "External ID to use when assuming a role in another account.", "multi": false, "required": false, "show_user": false }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "github.audit" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`.", "multi": false, "required": false, "show_user": true, "default": false }, { "name": "preserve_duplicate_custom_fields", "type": "bool", "title": "Preserve duplicate custom fields", "description": "Preserve github.audit fields that were copied to Elastic Common Schema (ECS) fields.", "multi": false, "required": true, "show_user": false, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.", "multi": false, "required": false, "show_user": false }, { "name": "proxy_url", "type": "text", "title": "Proxy URL", "description": "URL to proxy connections in the form of http[s]://:@:. Please ensure your username and password are in URL encoded format.", "multi": false, "required": false, "show_user": false }, { "name": "ssl", "type": "yaml", "title": "SSL Configuration", "description": "SSL configuration options. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/configuration-ssl.html#ssl-common-config) for details.", "multi": false, "required": false, "show_user": false, "default": "#certificate_authorities:\n# - |\n# -----BEGIN CERTIFICATE-----\n# MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF\n# ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2\n# MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB\n# BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n\n# fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl\n# 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t\n# /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP\n# PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41\n# CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O\n# BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux\n# 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D\n# 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw\n# 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA\n# H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu\n# 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0\n# yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk\n# sxSmbIUfc2SGJGCJD4I=\n# -----END CERTIFICATE-----\n" } ], "template_path": "aws-s3.yml.hbs", "title": "Collect Audit logs via AWS S3 or SQS", "description": "Collect Audit logs via AWS S3 or SQS input.", "enabled": false, "ingestion_method": "AWS S3" }, { "input": "azure-blob-storage", "vars": [ { "name": "account_name", "type": "text", "title": "Account Name", "description": "This attribute is required for various internal operations with respect to authentication, creating service clients and blob clients which are used internally for various processing purposes.\n", "multi": false, "required": true, "show_user": true }, { "name": "oauth2", "type": "bool", "title": "Collect logs using OAuth2 authentication", "description": "To collect logs using OAuth2 authentication enable the toggle switch. By default, it will collect logs using service account key or URI.", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "client_id", "type": "text", "title": "Client ID (OAuth2)", "description": "Client ID of Azure Account. This is required if 'Collect logs using OAuth2 authentication' is enabled.", "multi": false, "required": false, "show_user": true }, { "name": "client_secret", "type": "password", "title": "Client Secret (OAuth2)", "description": "Client Secret of Azure Account. This is required if 'Collect logs using OAuth2 authentication' is enabled.", "multi": false, "required": false, "show_user": true }, { "name": "tenant_id", "type": "text", "title": "Tenant ID (OAuth2)", "description": "Tenant ID of Azure Account. This is required if 'Collect logs using OAuth2 authentication' is enabled.", "multi": false, "required": false, "show_user": true }, { "name": "service_account_key", "type": "password", "title": "Service Account Key", "description": "This attribute contains the access key, found under the Access keys section on Azure Cloud, under the respective storage account. A single storage account can contain multiple containers, and they will all use this common access key.\n", "multi": false, "required": false, "show_user": true }, { "name": "service_account_uri", "type": "text", "title": "Service Account URI", "description": "This attribute contains the connection string, found under the Access keys section on Azure Cloud, under the respective storage account. A single storage account can contain multiple containers, and they will all use this common connection string.\n", "multi": false, "required": false, "show_user": false }, { "name": "storage_url", "type": "text", "title": "Storage URL", "description": "Use this attribute to specify a custom storage URL if required. By default it points to azure cloud storage. Only use this if there is a specific need to connect to a different environment where blob storage is available.\nURL format : {{protocol}}://{{account_name}}.{{storage_uri}}.\n", "multi": false, "required": false, "show_user": false }, { "name": "number_of_workers", "type": "integer", "title": "Maximum number of workers", "description": "Determines how many workers are spawned per container.", "multi": false, "required": false, "show_user": true, "default": 3 }, { "name": "poll", "type": "bool", "title": "Polling", "description": "Determines if the container will be continuously polled for new documents.", "multi": false, "required": false, "show_user": true, "default": true }, { "name": "poll_interval", "type": "text", "title": "Polling interval", "description": "Determines the time interval between polling operations.", "multi": false, "required": false, "show_user": true, "default": "15s" }, { "name": "containers", "type": "yaml", "title": "Containers", "description": "\"This attribute contains the details about a specific container like, name, number_of_workers, poll, poll_interval etc. The attribute 'name' is specific to a container as it describes the container name, while the fields number_of_workers, poll, poll_interval can exist both at the container level and at the global level. \\nIf you have already defined the attributes globally, then you can only specify the container name in this yaml config. If you want to override any specific attribute for a container, then, you can define it here. Any attribute defined in the yaml will override the global definitions. \\nPlease see the relevant [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-azure-blob-storage.html#attrib-containers) for further information.\\n\"\n", "multi": false, "required": true, "show_user": true, "default": "#- name: azure-container1\n# max_workers: 3\n# poll: true\n# poll_interval: 15s\n#- name: azure-container2\n# max_workers: 3\n# poll: true\n# poll_interval: 10s\n" }, { "name": "file_selectors", "type": "yaml", "title": "File Selectors", "description": "\"If the container will have events that correspond to files that this integration shouldn’t process, file_selectors can be used to limit the files that are downloaded. \\nThis is a list of selectors which is made up of regex patters. The regex should match the container filepath. Regexes use [RE2 syntax](https://pkg.go.dev/regexp/syntax). \\nFiles that don’t match one of the regexes will not be processed. \\nThis process happens locally on the host hence it is an expensive operation. It is recommended to use this attribute only if there is a specific need to filter out files locally.\\n\"\n", "multi": false, "required": false, "show_user": false, "default": "# - regex: \"event/\"\n" }, { "name": "timestamp_epoch", "type": "integer", "title": "Timestamp Epoch", "description": "\"This attribute can be used to filter out files/blobs which have a timestamp older than the specified value. The value of this attribute should be in unix epoch (seconds) format. \\nThis process happens locally on the host hence it is an expensive operation. It is recommended to use this attribute only if there is a specific need to filter out files locally.\\n\"\n", "multi": false, "required": false, "show_user": false }, { "name": "expand_event_list_from_field", "type": "text", "title": "Expand Event List From Field", "description": "\"If the file-set using this input expects to receive multiple messages bundled under a specific field or an array of objects then the config option for 'expand_event_list_from_field' can be specified. This setting will be able to split the messages under the group value into separate events. \\nThis can be specified at the global level or at the container level. For more info please refer to the [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-azure-blob-storage.html#attrib-expand_event_list_from_field).\\n\"\n", "multi": false, "required": false, "show_user": false }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`.", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "preserve_duplicate_custom_fields", "type": "bool", "title": "Preserve duplicate custom fields", "description": "Preserve github.audit fields that were copied to Elastic Common Schema (ECS) fields.", "multi": false, "required": true, "show_user": false, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.\n", "multi": false, "required": false, "show_user": false }, { "name": "tags", "type": "text", "title": "Tags", "description": "Tags to include in the published event.", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "github.audit" ] } ], "template_path": "abs.yml.hbs", "title": "GitHub Audit Logs", "description": "Collect GitHub audit logs from Azure Blob Storage", "enabled": false, "ingestion_method": "Azure Blob Storage" }, { "input": "gcs", "vars": [ { "name": "project_id", "type": "text", "title": "Project Id", "description": "This attribute is required for various internal operations with respect to authentication, creating service clients and bucket clients which are used internally for various processing purposes.\n", "multi": false, "required": true, "show_user": true, "default": "my-project-id" }, { "name": "alternative_host", "type": "text", "title": "Alternative Host", "description": "Used to override the default host for the storage client (default is storage.googleapis.com)", "multi": false, "required": false, "show_user": false }, { "name": "service_account_key", "type": "password", "title": "Credentials JSON Key", "description": "This attribute contains the JSON service account credentials string, which can be generated from the google cloud console. Refer to [Service Account Keys](https://cloud.google.com/iam/docs/creating-managing-service-account-keys) for details.\nRequired if a Service Account File is not provided.\n", "multi": false, "required": false, "show_user": true }, { "name": "service_account_file", "type": "text", "title": "Credentials File Path", "description": "This attribute contains the service account credentials file, which can be generated from the google cloud console. Refer to [Service Account Keys](https://cloud.google.com/iam/docs/creating-managing-service-account-keys) for details.\nRequired if a Service Account Key is not provided.\n", "multi": false, "required": false, "show_user": false }, { "name": "number_of_workers", "type": "integer", "title": "Maximum number of workers", "description": "Determines how many workers are spawned per bucket.", "multi": false, "required": false, "show_user": true, "default": 3 }, { "name": "poll", "type": "bool", "title": "Polling", "description": "Determines if the bucket will be continuously polled for new documents.", "multi": false, "required": false, "show_user": true, "default": true }, { "name": "poll_interval", "type": "text", "title": "Polling Interval", "description": "Determines the time interval between polling operations.", "multi": false, "required": false, "show_user": true, "default": "15s" }, { "name": "buckets", "type": "yaml", "title": "Buckets", "description": "This attribute contains the details about a specific bucket like, name, max_workers, poll and poll_interval. The attribute 'name' is specific to a bucket as it describes the bucket name, while the fields max_workers, poll and poll_interval can exist both at the bucket level and at the global level. If you have already defined the attributes globally, then you can only specify the name in this yaml config. If you want to override any specific attribute for a specific bucket, then, you can define it here. Any attribute defined in the yaml will override the global definitions. Please see the relevant[Documentation](https://www.elastic.co/docs/reference/beats/filebeat/filebeat-input-gcs#attrib-buckets) for further information.", "multi": false, "required": true, "show_user": true, "default": "# You can define as many buckets as you want here.\n#- name: gcs_bucket_1\n#- name: gcs_bucket_2\n# The config below is an example of how to override the global config.\n#- name: gcs_bucket_3\n# max_workers: 3\n# poll: true\n# poll_interval: 10s\n" }, { "name": "file_selectors", "type": "yaml", "title": "File Selectors", "description": "\"If the bucket will have events that correspond to files that this integration shouldn’t process, file_selectors can be used to limit the files that are processed. \\nThis is a list of selectors which is made up of regex patters. The regex should match the bucket filepath. Regexes use [RE2 syntax](https://pkg.go.dev/regexp/syntax). \\nFiles that don’t match one of the regexes will not be processed. \\nThis process happens locally on the host hence it is an expensive operation. It is recommended to use this attribute only if there is a specific need to filter out files locally.\\n\"\n", "multi": false, "required": false, "show_user": false, "default": "# - regex: \"event/\"\n" }, { "name": "timestamp_epoch", "type": "integer", "title": "Timestamp Epoch", "description": "\"This attribute can be used to filter out files/objects which have a timestamp older than the specified value. The value of this attribute should be in unix epoch (seconds) format. \\nThis process happens locally on the host hence it is an expensive operation. It is recommended to use this attribute only if there is a specific need to filter out files locally.\\n\"\n", "multi": false, "required": false, "show_user": false }, { "name": "expand_event_list_from_field", "type": "text", "title": "Expand Event List From Field", "description": "\"If the file-set using this input expects to receive multiple messages bundled under a specific field or an array of objects then the config option for 'expand_event_list_from_field' can be specified. This setting will be able to split the messages under the group value into separate events. \\nThis can be specified at the global level or at the bucket level. For more info please refer to the [documentation](https://www.elastic.co/docs/reference/beats/filebeat/filebeat-input-gcs#attrib-expand_event_list_from_field-gcs).\\n\"\n", "multi": false, "required": false, "show_user": false }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`.", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "preserve_duplicate_custom_fields", "type": "bool", "title": "Preserve duplicate custom fields", "description": "Preserve github.audit fields that were copied to Elastic Common Schema (ECS) fields.", "multi": false, "required": true, "show_user": false, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.\n", "multi": false, "required": false, "show_user": false }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "github.audit" ] } ], "template_path": "gcs.yml.hbs", "title": "GitHub Audit Logs", "description": "Collect GitHub audit logs from Google Cloud Storage.", "enabled": false, "ingestion_method": "Google Cloud Storage" } ], "package": "github", "path": "audit" }, { "type": "logs", "dataset": "github.code_scanning", "title": "GHAS Code Scanning", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "httpjson", "vars": [ { "name": "access_token", "type": "password", "title": "Personal Access Token", "description": "the GitHub Personal Access Token. Requires the 'public_repo' scope for public repositories and 'security_events' scope for private repositories. \\nSee [List code scanning alerts for a repository](https://docs.github.com/en/rest/code-scanning#list-code-scanning-alerts-for-a-repository)", "multi": false, "required": true, "show_user": true }, { "name": "owner", "type": "text", "title": "Repository owner", "description": "The owner of GitHub Repository. If repository belongs to an organization, owner is name of the organization", "multi": false, "required": true, "show_user": true }, { "name": "repo", "type": "text", "title": "Repository", "description": "The GitHub Repository. If not provided, alerts for all the repositories of the owner will be ingested", "multi": false, "required": false, "show_user": true }, { "name": "http_client_timeout", "type": "text", "title": "HTTP Client Timeout", "description": "Duration before declaring that the HTTP client connection has timed out. Valid time units are ns, us, ms, s, m, h.", "multi": false, "required": false, "show_user": true, "default": "60s" }, { "name": "interval", "type": "text", "title": "Interval", "description": "Interval at which the alerts will be pulled. The value must be between 2m and 1h. Supported units for this parameter are h/m/s.", "multi": false, "required": true, "show_user": true, "default": "10m" }, { "name": "api_url", "type": "text", "title": "API URL.", "description": "The API URL without the path.", "multi": false, "required": true, "show_user": false, "default": "https://api.github.com" }, { "name": "ssl", "type": "yaml", "title": "SSL Configuration", "description": "SSL configuration options. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/configuration-ssl.html#ssl-common-config) for details.", "multi": false, "required": false, "show_user": false }, { "name": "proxy_url", "type": "text", "title": "Proxy URL", "description": "URL to proxy connections in the form of http\\[s\\]://:@:", "multi": false, "required": false, "show_user": false }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": true, "default": [ "forwarded", "github-code-scanning" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. \nThis executes in the agent before the logs are parsed. \nSee [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.\n", "multi": false, "required": false, "show_user": false } ], "template_path": "httpjson.yml.hbs", "title": "GHAS Code Scanning", "description": "Collect GitHub Advanced Security Code Scanning alerts via the API", "enabled": true, "ingestion_method": "API" } ], "package": "github", "path": "code_scanning" }, { "type": "logs", "dataset": "github.dependabot", "title": "GHAS Dependabot", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "httpjson", "vars": [ { "name": "access_token", "type": "password", "title": "Personal Access Token", "description": "The GitHub Personal Access Token. \\nSee [Authenticating with GraphQL](https://docs.github.com/en/graphql/guides/forming-calls-with-graphql#authenticating-with-graphql)", "multi": false, "required": true, "show_user": true }, { "name": "owner", "type": "text", "title": "Repository owner", "description": "The owner of GitHub Repository", "multi": false, "required": true, "show_user": true }, { "name": "repo", "type": "text", "title": "Repository", "description": "The GitHub Repository", "multi": false, "required": false, "show_user": true }, { "name": "http_client_timeout", "type": "text", "title": "HTTP Client Timeout", "description": "Duration before declaring that the HTTP client connection has timed out. Valid time units are ns, us, ms, s, m, h.", "multi": false, "required": false, "show_user": true, "default": "60s" }, { "name": "interval", "type": "text", "title": "Interval", "description": "Interval at which the alerts will be pulled. The value must be between 2m and 1h. Supported units for this parameter are h/m/s.", "multi": false, "required": true, "show_user": true, "default": "10m" }, { "name": "api_url", "type": "text", "title": "API URL.", "description": "The API URL without the path.", "multi": false, "required": true, "show_user": false, "default": "https://api.github.com" }, { "name": "ssl", "type": "yaml", "title": "SSL Configuration", "description": "SSL configuration options. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/configuration-ssl.html#ssl-common-config) for details.", "multi": false, "required": false, "show_user": false }, { "name": "proxy_url", "type": "text", "title": "Proxy URL", "description": "URL to proxy connections in the form of http[s]://:@:", "multi": false, "required": false, "show_user": false }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": true, "default": [ "forwarded", "github-dependabot" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.\n", "multi": false, "required": false, "show_user": false } ], "template_path": "httpjson.yml.hbs", "title": "GHAS Dependabot", "description": "Collect GitHub Advanced Security Dependabot alerts via the API", "enabled": true, "ingestion_method": "API" } ], "package": "github", "path": "dependabot" }, { "type": "logs", "dataset": "github.issues", "title": "GitHub Issue", "release": "beta", "ingest_pipeline": "default", "streams": [ { "input": "httpjson", "vars": [ { "name": "access_token", "type": "password", "title": "Personal Access Token", "description": "the GitHub Personal Access Token.", "multi": false, "required": true, "show_user": true }, { "name": "owner", "type": "text", "title": "Repository owner", "description": "The owner of GitHub Repository. If repository belongs to an organization, owner is name of the organization", "multi": false, "required": true, "show_user": true }, { "name": "repo", "type": "text", "title": "Repository", "description": "The GitHub Repository. If not provided, alerts for all the repositories of the owner will be ingested", "multi": false, "required": false, "show_user": true }, { "name": "state", "type": "text", "title": "State", "description": "Indicates the state of the issues to return.", "multi": false, "required": false, "show_user": true, "default": "all" }, { "name": "filter", "type": "text", "title": "Filter", "description": "Indicates which sorts of issues to return. \nCan be one of - `assigned`, `created`, `mentioned`, `subscribed`, `repos`, `all`. \n`assigned` means issues assigned to you. `created` means issues created by you. `mentioned` means issues mentioning you. `subscribed` means issues you're subscribed to updates for. `all` or repos means all issues you can see, regardless of participation or creation.", "multi": false, "required": false, "show_user": true, "default": "all" }, { "name": "labels", "type": "text", "title": "Labels", "description": "A list of comma separated label names. Example - bug,ui,@high", "multi": false, "required": false, "show_user": true }, { "name": "since", "type": "text", "title": "Since", "description": "Only show notifications updated after the given time are returned. This is a timestamp in ISO 8601 format - `YYYY-MM-DDTHH:MM:SSZ`.", "multi": false, "required": false, "show_user": true }, { "name": "http_client_timeout", "type": "text", "title": "HTTP Client Timeout", "description": "Duration before declaring that the HTTP client connection has timed out. Valid time units are ns, us, ms, s, m, h.", "multi": false, "required": false, "show_user": true, "default": "60s" }, { "name": "interval", "type": "text", "title": "Interval", "description": "Interval at which the alerts will be pulled. The value must be between 2m and 1h. Supported units for this parameter are h/m/s.", "multi": false, "required": true, "show_user": true, "default": "10m" }, { "name": "api_url", "type": "text", "title": "API URL.", "description": "The API URL without the path.", "multi": false, "required": true, "show_user": false, "default": "https://api.github.com" }, { "name": "ssl", "type": "yaml", "title": "SSL Configuration", "description": "SSL configuration options. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/configuration-ssl.html#ssl-common-config) for details.", "multi": false, "required": false, "show_user": false }, { "name": "proxy_url", "type": "text", "title": "Proxy URL", "description": "URL to proxy connections in the form of http\\[s\\]://:@:", "multi": false, "required": false, "show_user": false }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": true, "default": [ "forwarded", "github-issues" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. \nThis executes in the agent before the logs are parsed. \nSee [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.\n", "multi": false, "required": false, "show_user": false } ], "template_path": "httpjson.yml.hbs", "title": "GitHub Issues", "description": "Collect GitHub issues as events via the API", "enabled": true, "ingestion_method": "API" } ], "package": "github", "path": "issues" }, { "type": "logs", "dataset": "github.secret_scanning", "title": "GHAS Secret Scanning", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "httpjson", "vars": [ { "name": "access_token", "type": "password", "title": "Personal Access Token", "description": "the GitHub Personal Access Token. Requires `admin` access to the repository or organization owning the repository along with a personal access token with 'public_repo' scope for public repositories and `repo` or `security_events` scope for private repositories. \\nSee [List secret scanning alerts for a repository](https://docs.github.com/en/enterprise-cloud@latest/rest/secret-scanning#list-secret-scanning-alerts-for-a-repository)", "multi": false, "required": true, "show_user": true }, { "name": "owner", "type": "text", "title": "Repository owner", "description": "The owner of GitHub Repository", "multi": false, "required": true, "show_user": true }, { "name": "repo", "type": "text", "title": "Repository", "description": "The GitHub Repository", "multi": false, "required": false, "show_user": true }, { "name": "http_client_timeout", "type": "text", "title": "HTTP Client Timeout", "description": "Duration before declaring that the HTTP client connection has timed out. Valid time units are ns, us, ms, s, m, h.", "multi": false, "required": false, "show_user": true, "default": "60s" }, { "name": "interval", "type": "text", "title": "Interval", "description": "Interval at which the alerts will be pulled. The value must be between 2m and 1h. Supported units for this parameter are h/m/s.", "multi": false, "required": true, "show_user": true, "default": "10m" }, { "name": "hide_secret", "type": "bool", "title": "Hide Secret", "description": "To reveal the full secret from the Secret Scanning alert, set this to false", "multi": false, "required": true, "show_user": true, "default": true }, { "name": "api_url", "type": "text", "title": "API URL.", "description": "The API URL without the path.", "multi": false, "required": true, "show_user": false, "default": "https://api.github.com" }, { "name": "ssl", "type": "yaml", "title": "SSL Configuration", "description": "SSL configuration options. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/configuration-ssl.html#ssl-common-config) for details.", "multi": false, "required": false, "show_user": false }, { "name": "proxy_url", "type": "text", "title": "Proxy URL", "description": "URL to proxy connections in the form of http\\[s\\]://:@:", "multi": false, "required": false, "show_user": false }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": true, "default": [ "forwarded", "github-secret-scanning" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. \nThis executes in the agent before the logs are parsed. \nSee [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.\n", "multi": false, "required": false, "show_user": false } ], "template_path": "httpjson.yml.hbs", "title": "GHAS Secret Scanning", "description": "Collect GitHub Advanced Security Secret Scanning alerts via the API", "enabled": true, "ingestion_method": "API" } ], "package": "github", "path": "secret_scanning" }, { "type": "logs", "dataset": "github.security_advisories", "title": "Collect GitHub Security Advisories data from GitHub REST API.", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "cel", "vars": [ { "name": "api_url", "type": "text", "title": "API URL", "description": "URL for GitHub Security Advisories database REST API", "multi": false, "required": true, "show_user": false, "default": "https://api.github.com/advisories" }, { "name": "api_key", "type": "password", "title": "API key", "description": "API key for GitHub REST API. This Personal Access Token is used to authenticate with the GitHub REST API and should be kept secret.", "multi": false, "required": true, "show_user": true }, { "name": "advisory_type", "type": "select", "title": "Advisory type", "multi": false, "required": true, "show_user": true }, { "name": "interval", "type": "text", "title": "Interval", "description": "Duration between requests to the API. Supported units for this parameter are h/m/s.", "multi": false, "required": true, "show_user": true, "default": "24h" }, { "name": "batch_size", "type": "integer", "title": "Batch Size", "description": "Batch size for the response of the GitHub REST API. Maximum value is 100.", "multi": false, "required": true, "show_user": false, "default": 100 }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "forwarded", "github-security-advisories" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/fleet/current/elastic-agent-processor-configuration.html) for details.", "multi": false, "required": false, "show_user": false }, { "name": "enable_request_tracer", "type": "bool", "title": "Enable request tracing", "description": "The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-cel.html#_resource_tracer_filename) for details.\n", "multi": false, "required": false, "show_user": false, "default": false } ], "template_path": "cel.yml.hbs", "title": "GitHub Security Advisories data", "description": "Collect GitHub Security Advisories data from GitHub REST API.", "enabled": true, "ingestion_method": "API" } ], "package": "github", "path": "security_advisories" } ] }