Microsoft Sentinel - Continuous Threat Monitoring for GitHub
Solution: GitHub
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
| Attribute | Value |
|---|---|
| Publisher | Microsoft Corporation |
| Support Tier | Microsoft |
| Support Link | https://support.microsoft.com |
| Categories | domains |
| Version | 3.1.4 |
| Author | Microsoft - support@microsoft.com |
| First Published | 2021-10-18 |
| Last Updated | 2026-03-27 |
| Solution Folder | GitHub |
| Marketplace | Azure Marketplace · Rating: ★★☆☆☆ 2.3/5 (3 ratings) · Popularity: 🟢 High (82%) |
The GitHub Solution for Microsoft Sentinel enables you to easily ingest events and logs from GitHub to Microsoft Sentinel using GitHub audit log API and webhooks. This enables you to view and analyze this data in your workbooks, query it to create custom alerts, and incorporate it to improve your investigation process, giving you more insight into your platform security.
Underlying Microsoft Technologies used:
This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:
NOTE: Microsoft recommends installation of "GitHubAuditDefinitionV2" (via Codeless Connector Framework). This connector is build on the Codeless Connector Framework (CCF), which uses the Log Ingestion API, which replaces ingestion via the deprecated HTTP Data Collector API. CCF-based data connectors also support Data Collection Rules (DCRs) offering transformations and enrichment.
Important: While the updated connector(s) can coexist with their legacy versions, running them together will result in duplicated data ingestion. You can disable the older versions of these connectors to avoid duplication of data..
Contents
Data Connectors
This solution provides 4 data connector(s):
- GitHub Enterprise Audit Log (via Codeless Connector Framework)
- [Deprecated] GitHub Enterprise Audit Log
- GitHub (using Webhooks)
- GitHub (using Webhooks) V2 🔶
🔶 CLv1: This connector ingests into a table that uses the legacy Custom Log V1 schema format with type-suffixed column names (e.g.
_s,_d,_b,_t,_g). Note: identification is based on column name suffixes which are also permitted in CLv2, so this classification may not always be accurate.
Tables Used
This solution uses 5 table(s):
| Table | Used By Connectors | Used By Content |
|---|---|---|
GitHubAdvancedSecurityAlerts_CL 🔶 |
GitHub (using Webhooks) V2 | - |
GitHubAuditLogPolling_CL |
[Deprecated] GitHub Enterprise Audit Log | Analytics, Hunting |
GitHubAuditLogsV2_CL |
GitHub Enterprise Audit Log (via Codeless Connector Framework), [Deprecated] GitHub Enterprise Audit Log | Analytics, Hunting |
GitHubRepoLogs_CL |
- | Analytics |
githubscanaudit_CL |
GitHub (using Webhooks), GitHub (using Webhooks) V2 | Workbooks |
🔶 CLv1: This table uses the legacy Custom Log V1 schema format with type-suffixed column names (e.g.
_s,_d,_b,_t,_g). Note: identification is based on column name suffixes which are also permitted in CLv2, so this classification may not always be accurate.
Content Items
This solution includes 29 content item(s):
| Content Type | Count |
|---|---|
| Analytic Rules | 14 |
| Hunting Queries | 8 |
| Parsers | 5 |
| Workbooks | 2 |
Analytic Rules
Hunting Queries
Workbooks
| Name | Tables Used |
|---|---|
| GitHub | githubscanaudit_CL |
| GitHubAdvancedSecurity | githubscanaudit_CL |
Parsers
| Name | Description | Tables Used |
|---|---|---|
| GitHubAuditData | - | GitHubAuditLogPolling_CL (read)GitHubAuditLogsV2_CL (read) |
| GitHubCodeScanningData | - | githubscanaudit_CL (read) |
| GitHubDependabotData | - | githubscanaudit_CL (read) |
| GitHubScanAudit | - | - |
| GitHubSecretScanningData | - | githubscanaudit_CL (read) |
Release Notes
| Version | Date Modified (DD-MM-YYYY) | Change History |
|---|---|---|
| 3.2.0 | 24-04-2026 | Added GitHub Webhook V2 data connector (CLv2/Logs Ingestion API) public preview |
| 3.1.4 | 19-03-2026 | Fix NRT 2FA rule for new parser format. |
| 3.1.3 | 29-01-2026 | Promoted GitHub Enterprise Cloud Audit Log CCF connector from Public Preview to GA. |
| 3.1.2 | 24-11-2025 | Added clarity to Github Enterprise Audit CCF connector definition to use API URL. |
| 3.1.1 | 13-11-2025 | Fixed URL handling for GitHub Enterprise Audit CCF connector. |
| 3.1.0 | 05-11-2025 | Updated Github Enterprise Audit CCF connector to use full URL instead of enterprise name. |
| 3.0.9 | 05-09-2025 | Enhancements to user guidance for connecting GitHub Enterprise audit logs connector |
| 3.0.8 | 26-08-2025 | Removed deprecated tag from webhook connector. |
| 3.0.7 | 19-06-2025 | Introducing a new CCF-based GitHub Enterprise Audit connector to replace the CLV1 connector |
| 3.0.6 | 26-04-2024 | Repackaged for fix on parser in maintemplate to have old parsername and parentid. |
| 3.0.5 | 18-04-2024 | Repackaged to fix parser issue. |
| 3.0.4 | 04-04-2024 | Updated Entity Mappings in Analytic Rules. |
| 3.0.3 | 31-01-2024 | Updated the solution to fix Analytic Rules deployment issue. |
| 3.0.2 | 06-11-2023 | Updated the Workbook name to resolve the issue of multiple keywords. |
| 3.0.1 | 22-08-2023 | Modified GitHubWorkbook to add new features (a.Filtering by organizations, b.Filtering by repository topics). |
| 3.0.0 | 17-07-2023 | Data Connectors description updated & Code Enhancements added for Workbooks. |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊