Microsoft Sentinel Adds Threat Monitoring for GitHub Repositories

Microsoft Sentinel has announced support for GitHub Threat Monitoring, which captures logs from GitHub enterprise repositories and tracks potentially malicious events.

Microsoft Sentinel – continuous threat monitoring for GitHub

Earlier this month (December 2021), Microsoft Sentinel announced its new solution for continuous monitoring for GitHub using Microsoft Sentinel. GitHub allows..

techcommunity.microsoft.com

Using Microsoft Sentinel, you can connect an enterprise-licensed GitHub repository environment to a Microsoft Sentinel workspace and capture GitHub audit logs. You can create and delete new repositories and import GitHub audit logs. It tracks events such as the creation and deletion of new repositories and the count of repository clones.

Microsoft Sentinel (formerly known as Azure Sentinel) is a cloud-native SIEM (Security Information and Event Management) platform.

We use artificial intelligence (AI) to analyze vast amounts of data to find potentially threatening activities in the corporate environment.

Having the ability to track various activities in a company’s GitHub repository, identify suspicious events, and investigate anomalies in the environment is very important.

Microsoft Sentinel GitHub threat monitoring works only with GitHub enterprise license and comes with one analysis rule to alert you on suspicious events and one workbook to visualize the data.

Here are the alerts that appear in the Microsoft Sentinel dashboard triggered by the new analysis rules.

• Create repository: Show every time a repository is created in a GitHub environment connected to a Microsoft Sentinel workspace
• Destroy repository: Show every time a repository is destroyed in a GitHub environment
• Remove payment Remove method: Show every time there is a payment method action configured for a GitHub repository
• OAuth application: Show every time the client secret is removed

With this workbook, the security team can also keep track of members added to and removed from GitHub repositories, newly added repositories, and the number of times each repository has been forked or cloned.

Detailed instructions for connecting an enterprise-licensed GitHub repository to a Microsoft Sentinel workspace can be found on the Tech Community blog.

In December, we added the Apache Log4j Vulnerability Detection solution to the Public Preview to help detect and investigate signals related to exploits of the Log4Shell vulnerability.

What's new in Microsoft Sentinel

This article describes new features in Microsoft Sentinel from the past few months.

learn.microsoft.com

We also support refinement of search results by mapping analysis rules to MITRE ATT&CK technology.

In August, Microsoft updated its SIEM platform to detect a new potential ransomware attack using the Fusion machine learning model.