What Changed
Version 3.3.1 of the GitHub Solution updates the Azure Storage-based GitHub Audit Log connector (GitHubAuditBlobConnector) with two changes:
API version bumps — ConnectorDefinition.json updated from apiVersion 2022-09-01-preview to 2025-09-01; PollingConfig.json updated from 2022-10-01-preview to 2024-09-01. Both move from preview to stable API versions.
SAS token guidance added — The connector setup instructions now document SAS token signing methods and operational best practices for the Azure Blob Storage integration:
- Two signing methods are supported: Account key and User delegation key.
- For the Account key method, the guidance recommends creating a Stored Access Policy (https://learn.microsoft.com/en-us/rest/api/storageservices/define-stored-access-policy) and binding the SAS token to that policy.
- Binding to a stored policy enables server-side rotation: expiry and permissions can be updated, or the token revoked, without reissuing the SAS URI - eliminating the connector reconfiguration step on credential rotation.
This change is driven by customer feedback and does not alter polling logic, field mappings, or ingestion behaviour. No detection content is affected.
Security Impact
No detection gap is introduced or closed. The SAS guidance is operationally significant for teams managing long-lived connectors: without Stored Access Policy binding, SAS token expiry requires manual reconfiguration of the connector, creating a window where GitHub Enterprise audit log streaming to Microsoft Sentinel stops - a silent ingestion gap. Following the updated guidance reduces that operational risk.
Affected Files
Solutions/GitHub/Data Connectors/GitHubAuditLogs_AzStorage/ConnectorDefinition.json
Solutions/GitHub/Data Connectors/GitHubAuditLogs_AzStorage/PollingConfig.json
(packaging artefacts: 3.3.1.zip, ReleaseNotes.md, Solution_GitHub.json, mainTemplate.json)