# GitHub Audit Log 来源配置
**注意**
重要提示:必须有 GitHub Enterprise 账户才能使用此连接器。不支持 GitHub 个人或组织账户。
## 将 与 GitHub 集成
Amazon Telemetry Pipelines 让您能够从 GitHub Enterprise Cloud 收集审计日志。GitHub Enterprise 是一个企业级软件开发平台,专为现代开发的复杂工作流而设计。GitHub Enterprise Cloud 是 GitHub Enterprise 基于云的解决方案,托管在 GitHub 的服务器上。
## 使用 GitHub 进行身份验证
要读取审计日志,管道需要使用您的 GitHub 账户进行身份验证。对于企业[范围](https://docs.github.com/en/enterprise-cloud@latest/rest/enterprise-admin/audit-log?apiVersion=2022-11-28#get-the-audit-log-for-an-enterprise),您可以使用个人访问令牌;对于组织[范围](https://docs.github.com/en/enterprise-cloud@latest/rest/orgs/orgs?apiVersion=2022-11-28#get-the-audit-log-for-an-organization),您可以使用个人访问令牌或 GitHub 应用程序。
**生成令牌以作为个人访问令牌进行身份验证:**
+ 使用 GitHub 账户的凭证登录 [GitHub](https://github.com/dashboard)
+ 经过身份验证的用户必须是企业管理员才能使用此端点
+ 打开 GitHub 个人访问令牌(经典)页面,找到“生成新令牌(经典)”,然后按照 GitHub 过程生成具有 `read:audit_log` 范围且无到期日期的令牌
+ 将此新令牌存储在 `personal_access_token` 键下 AWS Secrets Manager 中的密钥内
**生成私有密钥以作为 GitHub 应用程序进行身份验证:**
+ 使用 GitHub 账户的凭证登录 [GitHub](https://github.com/dashboard)
+ 确保 GitHub 应用程序具有“管理”组织[权限](https://docs.github.com/en/enterprise-cloud@latest/apps/creating-github-apps/registering-a-github-app/choosing-permissions-for-a-github-app)(读取)权限
+ 按照[管理 GitHub 应用程序的私有密钥](https://docs.github.com/en/enterprise-cloud@latest/apps/creating-github-apps/authenticating-with-a-github-app/managing-private-keys-for-github-apps)中的说明生成私有密钥
+ 将此私有密钥存储在 `private_key` 键下 AWS Secrets Manager 中的密钥内,并将 GitHub 应用程序名称存储在 `app_id` 键下
## 配置 CloudWatch 管道
将管道配置为从 GitHub Enterprise Cloud 读取审计日志时,请选择 GitHub Audit Logs 作为数据来源。根据集成范围将来源类型选择为“企业”或“组织”,然后根据所选范围填写必填信息,例如企业名称或组织名称。创建管道后,数据将在选定的 CloudWatch Logs 日志组中可用。
## 支持的开放式网络安全架构框架事件类
此集成支持 OCSF 架构版本 1.5.0 以及映射到“账户变更”(3001)、“API 活动”(6003)和“实体管理”(3004)的 [GitHub 操作](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/security-log-events)。
**账户变更**包含以下操作:
+ org.enable\_two\_factor\_requirement
+ org.disable\_two\_factor\_requirement
+ two\_factor\_authentication.add\_factor
+ two\_factor\_authentication.enabled
+ two\_factor\_authentication.disabled
+ two\_factor\_authentication.remove\_factor
+ org.disable\_saml
+ org.enable\_saml
+ personal\_access\_token.access\_restriction\_disabled
+ personal\_access\_token.access\_restriction\_enabled
+ personal\_access\_token.expiration\_limit\_set
+ personal\_access\_token.expiration\_limit\_unset
**API 活动**包含以下操作:
+ repository\_secret\_scanning\_custom\_pa....create
+ repository\_secret\_scanning\_custom\_pa....update
+ repository\_secret\_scanning\_custom\_pa....delete
+ repository\_secret\_scanning\_custom\_pa....publish
+ repository\_secret\_scanning\_custom\_p....enabled
+ repository\_secret\_scanning\_custom\_p....disabled
+ repository\_secret\_scanning\_non\_provi....enabled
+ repository\_secret\_scanning\_non\_provi....disabled
+ repository\_secret\_scanning\_generic\_s....enabled
+ repository\_secret\_scanning\_generic\_s....disabled
+ business\_secret\_scanning\_custom\_pattern.create
+ business\_secret\_scanning\_custom\_pattern.update
+ business\_secret\_scanning\_custom\_pattern.delete
+ business\_secret\_scanning\_custom\_pattern.publish
+ business\_secret\_scanning\_custom\_patt....enabled
+ business\_secret\_scanning\_custom\_patt....disabled
+ business\_secret\_scanning\_generic\_secrets.enabled
+ business\_secret\_scanning\_generic\_secrets.disabled
+ business\_secret\_scanning\_non\_provide....enabled
+ business\_secret\_scanning\_non\_provide....disabled
+ org\_secret\_scanning\_non\_provider\_patt....enabled
+ org\_secret\_scanning\_non\_provider\_patt....disabled
+ org\_secret\_scanning\_generic\_secrets.enabled
+ org\_secret\_scanning\_generic\_secrets.disabled
+ org\_secret\_scanning\_custom\_pattern.create
+ org\_secret\_scanning\_custom\_pattern.update
+ org\_secret\_scanning\_custom\_pattern.delete
+ org\_secret\_scanning\_custom\_pattern.publish
**实体管理**包含以下操作:
+ oauth\_application.destroy
+ oauth\_application.generate\_client\_secret
+ oauth\_application.remove\_client\_secret
+ oauth\_application.revoke\_all\_tokens
+ oauth\_application.revoke\_tokens
+ oauth\_application.transfer
+ personal\_access\_token.auto\_approve\_grant\_requests\_enabled
+ personal\_access\_token.auto\_approve\_grant\_requests\_disabled
+ ip\_allow\_list.disable
+ ip\_allow\_list.enable\_for\_installed\_apps
+ ip\_allow\_list.disable\_for\_installed\_apps
+ ip\_allow\_list\_entry.create
+ ip\_allow\_list\_entry.update
+ ip\_allow\_list\_entry.destroy
+ repository\_secret\_scanning.disable
+ repository\_secret\_scanning\_automatic....disabled
+ repository\_secret\_scanning\_push\_prot....disable
+ repository\_secret\_scanning\_push\_prot....enable
+ oauth\_application.create
+ oauth\_application.reset\_secret
+ auto\_approve\_personal\_access\_token\_req....enabled
+ auto\_approve\_personal\_access\_token\_req....disabled
+ ip\_allow\_list.enable
+ ip\_allow\_list.disable\_user\_level\_enforcement
+ ip\_allow\_list.enable\_user\_level\_enforcement
+ repository\_secret\_scanning.enable
+ repository\_secret\_scanning\_automatic....enabled
+ repository\_secret\_scanning\_push\_prot....enable
+ repository\_secret\_scanning\_push\_prot....add
+ repository\_secret\_scanning\_push\_prot....remove
+ repository\_secret\_scanning\_push\_prot....disable
+ secret\_scanning.enable
+ secret\_scanning.disable
+ secret\_scanning\_new\_repos.enable
+ org\_secret\_scanning\_automatic\_validi....enabled
+ org\_secret\_scanning\_automatic\_validi....disabled
+ org\_secret\_scanning\_push\_protection\_b....add
+ org\_secret\_scanning\_push\_protection\_b....remove
+ org\_secret\_scanning\_push\_protection\_b....disable
+ org\_secret\_scanning\_push\_protection\_b....enable
+ business\_secret\_scanning\_automatic\_va....enabled
+ business\_secret\_scanning\_automatic\_va....disabled
+ business\_secret\_scanning\_push\_protection.enable
+ business\_secret\_scanning\_push\_protection.disable
+ business\_secret\_scanning\_push\_protection.enabled\_for\_new\_repos
+ business\_secret\_scanning\_push\_protection.disabled\_for\_new\_repos
+ business\_secret\_scanning\_push\_prote....enable
+ business\_secret\_scanning\_push\_prote....update
+ business\_secret\_scanning\_push\_prote....disable