GitHub is a web-based software development platform used for version control, collaboration, bug tracking, software feature requests, continuous integration, and task management. Panther can collect, normalize, and monitor GitHub logs to help you identify any suspicious activity within your GitHub organization. Your normalized data is then retained to power future security investigations in a data lake powered by the cloud-native data platform, Snowflake.
Use Cases for GitHub Audit Logs
GitHub audit logs give organization owners visibility into actions performed by members of their organization. These logs include details such as who performed the action, what the action was, and when it was performed. Some common SIEM use cases for Github logs include monitoring for:
- New admin roles or downgrades of existing admins
- Changes to IAM or MFA policies
- Creation or transfer of GitHub repositories
- Added or removed users in an organization, repository, or team
- Access Key creation or uploads
Onboarding GitHub Logs in Panther
Setting up Panther’s integration for GitHub is fast and convenient, with multiple ingestion methods available to you depending on your organization’s GitHub account. For Organization accounts, Panther can ingest audit logs from GitHub by querying the GitHub API. For Enterprise accounts, Panther can leverage GitHub's audit log streaming feature via AWS S3 or Google Cloud Storage.
For more details on onboarding GitHub logs or for supported log schema, you can view our GitHub documentation here.
Parsing, Normalizing, & Analyzing GitHub Logs
As Panther ingests GitHub logs, they are parsed, normalized, and stored in a Snowflake security data lake. This allows you to build detections, identify anomalies, and conduct investigations in the context of days, weeks, or months of data.
Panther applies normalization fields to all log records, which standardizes names for attributes and empowers users to correlate data across all of your log sources. Panther’s various search tools - such as Query Builder, Data Explorer, and Indicator Search - allow you to conduct investigations for suspicious activity or vulnerabilities. For more information on searching logs, check out our documentation on Investigations & Search.
Built-in and Easily Customizable Detections
Pre-built detections for GitHub audit logs are available by default in Panther, offering users immediate value for monitoring common IoCs and threats. You can explore our built-in detection coverage for GitHub here.
With Panther, you aren’t confined to restrictive detections or proprietary languages as seen in many SIEM solutions. Panther is architected around detection-as-code principles, giving you the ability to write Python to define detection logic and to integrate external systems like version control and CI/CD pipelines into your detection engineering processes. This results in powerful, flexible, and reusable scripting of detections for your security team.
Panther generates alerts when your detection rules or policies for GitHub are triggered, and integrates with a variety of alert destinations to allow for intuitive management of any alerts. Alerts can also be sent to alert context or SOAR platforms for more remediation options.
Alerts are categorized within five severity levels: Info, Low, Medium, High, and Critical. Your security team has the ability to dynamically assign severity based on specific log event attributes.
If you have any questions about configuring or monitoring GitHub audit logs in Panther, our customer support team is here to help. All customers have access to support via a dedicated Slack channel, email, or in-app messenger.
The Ideal SIEM for GitHub
With Panther, your team doesn’t have to waste time and resources on operational overhead, pay excessive costs to keep up with the growth of cloud app data or struggle with limited detection logic. Panther was founded by a team of security engineers who struggled with other SIEM solutions first-hand, and built an intuitive, cloud-native platform to solve them.
Panther is a cloud-native SIEM built for security operations at scale, offering powerful detection-as-code, intuitive security workflows, and actionable real-time alerts. If you’re searching for a seamless SIEM platform for GitHub, request a demo today.