Before you start
You need a GitHub Enterprise account (cloud-hosted or self-hosted) with access to audit log GraphQL API. For more information, see GitHub's products.
Note: The audit log REST API is available as a public beta for users of GitHub Enterprise Cloud only.
Step 1: Generate API credentials
The GitHub integration polls events from the GraphQL API using a Personal Access Token.
- Create a Personal Access Token by navigating to your Account Settings on the menu under your profile photo in the top right of any page.
- In the sidebar, click Developer settings and then click Personal access tokens.
- Click Generate new token.
- Grant the token the defined permissions from the image below.
- Click Generate token.
- Enable SSO if the option is available.
- Click to copy the token to your clipboard. For security reasons, after you leave the page, you won't see the token again.
- Use this token when configuring GitHub in Workbench.
Step 2: Configure the technology in Workbench
Now that we have all the correct access configured and noted the credentials, we can integrate GitHub with Expel Workbench.
Register device in Expel Workbench
- In a new browser tab, login to https://workbench.expel.io.
- On the console page, navigate to Settings and click Security Devices.
- At the top right of the page, select Add Security Device.
- Search for and select your technology (GitHub).
- For SIEM select Expel Cloud Service.
- Complete all fields using the credentials and information you collected in Step 1.
- For Name type the name of your GitHub organization.
- For Location type Cloud.
- For API key type the API generated in Step 1.
- For Organization name, type the name of your GitHub organization.
- For Enterprise slug, type the enterprise slug URL (only required if you use enterprise SAML identity provider, otherwise it can be left blank).
- Click Save.
After a few minutes, refresh the Security Devices page and you see your device status reporting as Healthy, or if there is an issue, you see details of what the issue may be.
To check if alerts are coming through, navigate to Alerts on the console page. Click the icon in the upper right to switch to grid view, then check the list for device alerts.