Key Observability Trends Around GitHub Security

• Unified Security Dashboards: Organizations seek a single pane of glass to monitor GitHub security events—code scanning, secret leaks, alongside audit logs.
• Real-Time Visibility: There is a growing demand for near real-time ingestion and visualization of GitHub audit logs and security alerts .
• Operationalizing GitHub Advanced Security (GHAS): While GHAS provides powerful scanning capabilities, enterprises want to surface these insights beyond GitHub’s UI to security and compliance teams.

Challenges in Displaying All Security in One Dashboard

• Siloed Data: GitHub’s native alerts are confined to its interface, limiting visibility for security teams who operate outside the development environment.
• Limited Audit Log Retention and Analytics: GitHub retains audit logs for a limited time and lacks advanced analytics, making long-term trend analysis and compliance reporting difficult.
• High Volume and Noise: Audit logs generate large volumes of events, many of which are routine. Without filtering and categorization, meaningful insights are buried in noise.
• Alert Fatigue: Without proper tuning, teams may be overwhelmed by false positives or low-priority alerts, leading to desensitization.

Why Visualizing GitHub Audit Logs in Defender Makes Sense

• Centralized Visibility: Security teams gain access to GitHub events without needing GitHub access, enabling broader insights.
• Enhanced Governance: Audit logs are archived centrally, enabling compliance tracking and forensic analysis.
• Real-Time Response: Alerts can trigger automated actions—like revoking secrets or creating incidents—via Power Automate or Logic Apps.
• Complement to GHAS: While GHAS provides detection, this solution ensures findings are acted upon and tracked across the enterprise.

• End-to-End Integration: GitHub (Dev), Azure (Cloud), and Microsoft Defender (Sec) are connected, creating a seamless DevSecOps pipeline.
• Modular Architecture: The solution supports both Log Analytics workspace and Sentinel for visualization and integrates with existing tools like Microsoft Defender for Cloud.
• Data Sovereignty and Security: All data remains within the customer’s Azure tenant, ensuring compliance and control.
• XDR Strategy Alignment: By bringing GitHub security signals into Microsoft’s Extended Detection and Response (XDR) ecosystem, the solution enhances threat correlation and response across the enterprise.

• Customer Demand: Enterprises have explicitly requested real-time GitHub audit analytics and integration with existing security workflows.
• High ROI: The cost of implementation is low compared to the potential savings from avoided incidents and improved compliance.
• Strategic Differentiation: Only Microsoft can offer this native, end-to-end integration across GitHub, Azure, and M365, making it a compelling value proposition for customers.

The Roads We Tried but Skipped

• Event Hub + Function App: We built this first. It worked, but end-to-end latency could be unpredictable, and troubleshooting across services felt a bit “black box”.
• Microsoft Sentinel GitHub connector: Useful, but it’s a pull model with minutes-level delay. If you want near-real-time monitoring and alerts, it’s not ideal.

The Path That Worked: GitHub Streaming → HEC Simulator → DCR → LAW

Five Steps to Roll Out

1. Create a Log Analytics Workspace (LAW)
2. Create a custom table github_auditlogs_CL in LAW

Recommended schema:

• • Keep these handy: DCE endpoint, DCR immutableId, stream name (often Custom-Json-github_auditlogs_CL), and an Azure AD app with rights to write to the DCR.

• • Open-source implementation: https://github.com/satomic/github-auditlogs-streaming-splunk-2-log-analytics
  • This repo includes the same service. It exposes standard HEC endpoints (/services/collector/event, /raw, /health), saves a local copy for audit, and forwards to LAW via DCR.

• • Path: Settings -> Audit log -> Audit log streaming
  • Target type: Splunk (HEC). Provide your host/IP, port (default 8088), and token matching VALID_TOKENS. TLS verification depends on whether you run the simulator with HTTPS.

What Helped Us In The Field

• Tokens and TLS: Use strong tokens and HTTPS in production; HTTP is fine to validate the pipeline in dev.
• DCR 401/403: Usually credentials or permissions. Double-check DCR immutableId, stream name, and the app permissions.
• Latency and throughput: The HEC service is async and handles concurrency well. Keep local archiving as a safety net and monitor LAW ingestion rate.
• Observability: Build small KQL views for ingestion rate and failure counts. The service exposes /health and /stats.

Solution Comparison

Conclusion

References

1. https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-devops-introduction
2. https://learn.microsoft.com/en-us/azure/azure-monitor/logs/quick-create-workspace?tabs=azure-portal
3. https://learn.microsoft.com/en-us/azure/azure-monitor/logs/create-custom-table?tabs=azure-portal-1,azure-portal-2,azure-portal-3
4. https://learn.microsoft.com/en-us/azure/azure-monitor/logs/tutorial-logs-ingestion-portal
5. https://github.com/satomic/github-auditlogs-streaming-splunk-2-log-analytics