What Changed

Added a new Azure Storage-based CCF connector for GitHub Enterprise audit logs alongside the existing API-based connector. The new connector leverages GitHub’s audit log streaming to Azure Blob Storage with Event Grid notifications for near real-time ingestion.

Security Impact (Visibility & Fidelity)

The existing GitHub Enterprise Audit Log CCF connector experiences rate limiting when polling the GitHub API directly, potentially causing gaps in audit log ingestion during high-activity periods. This Azure Storage-based connector addresses that blind spot by:

  • Eliminating API rate limits: GitHub streams audit logs directly to blob storage, bypassing API throttling
  • Near real-time ingestion: Event Grid notifications trigger ingestion within 5 minutes of log availability
  • Higher throughput: Supports enterprise environments with heavy GitHub activity without data loss
  • Same data fidelity: Uses identical table schema (GitHubAuditLogsV2_CL) ensuring compatibility with existing detections

Ingestion Mechanism

  • Data Collection Rule (DCR): Custom stream Custom-GitHubAuditLogs with comprehensive field mapping
  • Event Grid integration: Monitors blob-created notifications in storage containers
  • Azure Storage requirements: Requires Data Lake Storage Gen2 with hierarchical namespace
  • Authentication: Uses Microsoft’s ScubaSentinelToStorageProd enterprise application with Storage Blob Data Reader and Storage Queue Data Contributor roles

Deployment Considerations

Requires specific Azure RBAC permissions and Event Grid resource provider registration. Network restrictions via IP ranges are not supported due to Azure Storage limitations - requires either open network access or Network Security Perimeter configuration.

Affected Files

Solutions/GitHub/Data Connectors/GitHubAuditLogs_AzStorage/ConnectorDefinition.json
Solutions/GitHub/Data Connectors/GitHubAuditLogs_AzStorage/DCR.json
Solutions/GitHub/Data Connectors/GitHubAuditLogs_AzStorage/PollingConfig.json
Solutions/GitHub/Data Connectors/GitHubAuditLogs_AzStorage/table_GitHubAuditLogsV2.json
(packaging artefacts: 3.3.0.zip, ReleaseNotes.md, Solution_GitHub.json, createUiDefinition.json, mainTemplate.json)