# GitHub Audit Log 来源配置
<a name="github-audit-log-source-setup"></a>

**注意**  
 重要提示：必须有 GitHub Enterprise 账户才能使用此连接器。不支持 GitHub 个人或组织账户。

## 将 与 GitHub 集成
<a name="github-audit-log-integration"></a>

Amazon Telemetry Pipelines 让您能够从 GitHub Enterprise Cloud 收集审计日志。GitHub Enterprise 是一个企业级软件开发平台，专为现代开发的复杂工作流而设计。GitHub Enterprise Cloud 是 GitHub Enterprise 基于云的解决方案，托管在 GitHub 的服务器上。

## 使用 GitHub 进行身份验证
<a name="github-audit-log-authentication"></a>

要读取审计日志，管道需要使用您的 GitHub 账户进行身份验证。对于企业[范围](https://docs.github.com/en/enterprise-cloud@latest/rest/enterprise-admin/audit-log?apiVersion=2022-11-28#get-the-audit-log-for-an-enterprise)，您可以使用个人访问令牌；对于组织[范围](https://docs.github.com/en/enterprise-cloud@latest/rest/orgs/orgs?apiVersion=2022-11-28#get-the-audit-log-for-an-organization)，您可以使用个人访问令牌或 GitHub 应用程序。

**生成令牌以作为个人访问令牌进行身份验证：**
+ 使用 GitHub 账户的凭证登录 [GitHub](https://github.com/dashboard)
+ 经过身份验证的用户必须是企业管理员才能使用此端点
+ 打开 GitHub 个人访问令牌（经典）页面，找到“生成新令牌（经典）”，然后按照 GitHub 过程生成具有 `read:audit_log` 范围且无到期日期的令牌
+ 将此新令牌存储在 `personal_access_token` 键下 Amazon Secrets Manager 中的密钥内

**生成私有密钥以作为 GitHub 应用程序进行身份验证：**
+ 使用 GitHub 账户的凭证登录 [GitHub](https://github.com/dashboard)
+ 确保 GitHub 应用程序具有“管理”组织[权限](https://docs.github.com/en/enterprise-cloud@latest/apps/creating-github-apps/registering-a-github-app/choosing-permissions-for-a-github-app)（读取）权限
+  按照[管理 GitHub 应用程序的私有密钥](https://docs.github.com/en/enterprise-cloud@latest/apps/creating-github-apps/authenticating-with-a-github-app/managing-private-keys-for-github-apps)中的说明生成私有密钥
+ 将此私有密钥存储在 `private_key` 键下 Amazon Secrets Manager 中的密钥内，并将 GitHub 应用程序名称存储在 `app_id` 键下

## 配置 CloudWatch 管道
<a name="github-audit-log-pipeline-config"></a>

将管道配置为从 GitHub Enterprise Cloud 读取审计日志时，请选择 GitHub Audit Logs 作为数据来源。根据集成范围将来源类型选择为“企业”或“组织”，然后根据所选范围填写必填信息，例如企业名称或组织名称。创建管道后，数据将在选定的 CloudWatch Logs 日志组中可用。

## 支持的开放式网络安全架构框架事件类
<a name="github-audit-log-ocsf-events"></a>

此集成支持 OCSF 架构版本 1.5.0 以及映射到“账户变更”（3001）、“API 活动”（6003）和“实体管理”（3004）的 [GitHub 操作](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/security-log-events)。

**账户变更**包含以下操作：
+ org.enable\$1two\$1factor\$1requirement
+ org.disable\$1two\$1factor\$1requirement
+ two\$1factor\$1authentication.add\$1factor
+ two\$1factor\$1authentication.enabled
+ two\$1factor\$1authentication.disabled
+ two\$1factor\$1authentication.remove\$1factor
+ org.disable\$1saml
+ org.enable\$1saml
+ personal\$1access\$1token.access\$1restriction\$1disabled
+ personal\$1access\$1token.access\$1restriction\$1enabled
+ personal\$1access\$1token.expiration\$1limit\$1set
+ personal\$1access\$1token.expiration\$1limit\$1unset

**API 活动**包含以下操作：
+ repository\$1secret\$1scanning\$1custom\$1pa....create
+ repository\$1secret\$1scanning\$1custom\$1pa....update
+ repository\$1secret\$1scanning\$1custom\$1pa....delete
+ repository\$1secret\$1scanning\$1custom\$1pa....publish
+ repository\$1secret\$1scanning\$1custom\$1p....enabled
+ repository\$1secret\$1scanning\$1custom\$1p....disabled
+ repository\$1secret\$1scanning\$1non\$1provi....enabled
+ repository\$1secret\$1scanning\$1non\$1provi....disabled
+ repository\$1secret\$1scanning\$1generic\$1s....enabled
+ repository\$1secret\$1scanning\$1generic\$1s....disabled
+ business\$1secret\$1scanning\$1custom\$1pattern.create
+ business\$1secret\$1scanning\$1custom\$1pattern.update
+ business\$1secret\$1scanning\$1custom\$1pattern.delete
+ business\$1secret\$1scanning\$1custom\$1pattern.publish
+ business\$1secret\$1scanning\$1custom\$1patt....enabled
+ business\$1secret\$1scanning\$1custom\$1patt....disabled
+ business\$1secret\$1scanning\$1generic\$1secrets.enabled
+ business\$1secret\$1scanning\$1generic\$1secrets.disabled
+ business\$1secret\$1scanning\$1non\$1provide....enabled
+ business\$1secret\$1scanning\$1non\$1provide....disabled
+ org\$1secret\$1scanning\$1non\$1provider\$1patt....enabled
+ org\$1secret\$1scanning\$1non\$1provider\$1patt....disabled
+ org\$1secret\$1scanning\$1generic\$1secrets.enabled
+ org\$1secret\$1scanning\$1generic\$1secrets.disabled
+ org\$1secret\$1scanning\$1custom\$1pattern.create
+ org\$1secret\$1scanning\$1custom\$1pattern.update
+ org\$1secret\$1scanning\$1custom\$1pattern.delete
+ org\$1secret\$1scanning\$1custom\$1pattern.publish

**实体管理**包含以下操作：
+ oauth\$1application.destroy
+ oauth\$1application.generate\$1client\$1secret
+ oauth\$1application.remove\$1client\$1secret
+ oauth\$1application.revoke\$1all\$1tokens
+ oauth\$1application.revoke\$1tokens
+ oauth\$1application.transfer
+ personal\$1access\$1token.auto\$1approve\$1grant\$1requests\$1enabled
+ personal\$1access\$1token.auto\$1approve\$1grant\$1requests\$1disabled
+ ip\$1allow\$1list.disable
+ ip\$1allow\$1list.enable\$1for\$1installed\$1apps
+ ip\$1allow\$1list.disable\$1for\$1installed\$1apps
+ ip\$1allow\$1list\$1entry.create
+ ip\$1allow\$1list\$1entry.update
+ ip\$1allow\$1list\$1entry.destroy
+ repository\$1secret\$1scanning.disable
+ repository\$1secret\$1scanning\$1automatic....disabled
+ repository\$1secret\$1scanning\$1push\$1prot....disable
+ repository\$1secret\$1scanning\$1push\$1prot....enable
+ oauth\$1application.create
+ oauth\$1application.reset\$1secret
+ auto\$1approve\$1personal\$1access\$1token\$1req....enabled
+ auto\$1approve\$1personal\$1access\$1token\$1req....disabled
+ ip\$1allow\$1list.enable
+ ip\$1allow\$1list.disable\$1user\$1level\$1enforcement
+ ip\$1allow\$1list.enable\$1user\$1level\$1enforcement
+ repository\$1secret\$1scanning.enable
+ repository\$1secret\$1scanning\$1automatic....enabled
+ repository\$1secret\$1scanning\$1push\$1prot....enable
+ repository\$1secret\$1scanning\$1push\$1prot....add
+ repository\$1secret\$1scanning\$1push\$1prot....remove
+ repository\$1secret\$1scanning\$1push\$1prot....disable
+ secret\$1scanning.enable
+ secret\$1scanning.disable
+ secret\$1scanning\$1new\$1repos.enable
+ org\$1secret\$1scanning\$1automatic\$1validi....enabled
+ org\$1secret\$1scanning\$1automatic\$1validi....disabled
+ org\$1secret\$1scanning\$1push\$1protection\$1b....add
+ org\$1secret\$1scanning\$1push\$1protection\$1b....remove
+ org\$1secret\$1scanning\$1push\$1protection\$1b....disable
+ org\$1secret\$1scanning\$1push\$1protection\$1b....enable
+ business\$1secret\$1scanning\$1automatic\$1va....enabled
+ business\$1secret\$1scanning\$1automatic\$1va....disabled
+ business\$1secret\$1scanning\$1push\$1protection.enable
+ business\$1secret\$1scanning\$1push\$1protection.disable
+ business\$1secret\$1scanning\$1push\$1protection.enabled\$1for\$1new\$1repos
+ business\$1secret\$1scanning\$1push\$1protection.disabled\$1for\$1new\$1repos
+ business\$1secret\$1scanning\$1push\$1prote....enable
+ business\$1secret\$1scanning\$1push\$1prote....update
+ business\$1secret\$1scanning\$1push\$1prote....disable