Recopila registros de auditoría de GitHub
Se admite en los siguientes sistemas operativos:
Google SecOps
SIEM
En este documento, se explica cómo transferir registros de auditoría de GitHub a Google Security Operations con Amazon S3. El analizador intenta extraer datos del campo "message" con varios patrones de Grok, y controla los formatos JSON y no JSON. Según el "process_type" extraído, aplica una lógica de análisis específica con grok, kv y otros filtros para asignar los datos de registro sin procesar al esquema del modelo de datos unificado (UDM).
Antes de comenzar
Asegúrate de cumplir con los siguientes requisitos previos:
- Es la instancia de Google SecOps.
- Acceso privilegiado al arrendatario de GitHub Enterprise Cloud con permisos de propietario de la empresa.
- Acceso con privilegios a AWS (S3, IAM).
Recopila los requisitos previos de GitHub Enterprise Cloud (acceso a Enterprise)
- Accede a la Consola del administrador de GitHub Enterprise Cloud.
- Ve a Configuración de la empresa > Configuración > Registro de auditoría > Transmisión de registros.
- Asegúrate de tener permisos de propietario de la empresa para configurar la transmisión de registros de auditoría.
- Copia y guarda en una ubicación segura los siguientes detalles:
- Nombre de GitHub Enterprise
- Nombres de organizaciones en la empresa
Configura el bucket de S3 de AWS y Identity and Access Management para Google SecOps
- Crea un bucket de Amazon S3 siguiendo esta guía del usuario: Crea un bucket
- Guarda el Nombre y la Región del bucket para futuras referencias (por ejemplo,
github-audit-logs). - Crea un usuario siguiendo esta guía del usuario: Cómo crear un usuario de IAM.
- Selecciona el usuario creado.
- Selecciona la pestaña Credenciales de seguridad.
- Haz clic en Crear clave de acceso en la sección Claves de acceso.
- Selecciona Servicio de terceros como Caso de uso.
- Haz clic en Siguiente.
- Opcional: Agrega una etiqueta de descripción.
- Haz clic en Crear clave de acceso.
- Haz clic en Descargar archivo .CSV para guardar la clave de acceso y la clave de acceso secreta para consultarlas en el futuro.
- Haz clic en Listo.
Configura la política de IAM para la transmisión de S3 de GitHub
- En la consola de AWS, ve a IAM > Políticas > Crear política > pestaña JSON.
- Copia y pega la siguiente política.
JSON de la política (reemplaza
github-audit-logssi ingresaste un nombre de bucket diferente):{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowPutObjects", "Effect": "Allow", "Action": "s3:PutObject", "Resource": "arn:aws:s3:::github-audit-logs/*" } ] }Haz clic en Siguiente > Crear política.
Asigna el nombre
GitHubAuditStreamingPolicya la política y haz clic en Crear política.Regresa al usuario de IAM que creaste anteriormente.
Selecciona la pestaña Permisos.
Haz clic en Agregar permisos > Adjuntar políticas directamente.
Busca y selecciona
GitHubAuditStreamingPolicy.Haz clic en Siguiente > Agregar permisos.
Configura la transmisión de registros de auditoría de GitHub Enterprise Cloud
- Accede a GitHub Enterprise Cloud como propietario de la empresa.
- Haz clic en tu foto de perfil y, luego, en Configuración de la empresa.
- En la barra lateral de la cuenta empresarial, haz clic en Configuración > Registro de auditoría > Transmisión de registros.
- Selecciona Configurar flujo y haz clic en Amazon S3.
- En Autenticación, haz clic en Claves de acceso.
- Proporciona los siguientes detalles de configuración:
- Región: Selecciona la región del bucket (por ejemplo,
us-east-1). - Bucket: Escribe el nombre del bucket al que deseas transmitir (por ejemplo,
github-audit-logs). - ID de clave de acceso: Ingresa el ID de tu clave de acceso del usuario de IAM.
- Clave secreta: Ingresa tu clave secreta del usuario de IAM.
- Región: Selecciona la región del bucket (por ejemplo,
- Haz clic en Verificar extremo para verificar que GitHub pueda conectarse y escribir en el extremo de Amazon S3.
- Después de verificar correctamente el extremo, haz clic en Guardar.
Crea un usuario y claves de IAM de solo lectura para Google SecOps
- Ve a Consola de AWS > IAM > Usuarios > Agregar usuarios.
- Haz clic en Agregar usuarios.
- Proporciona los siguientes detalles de configuración:
- Usuario: Ingresa
secops-reader. - Tipo de acceso: Selecciona Clave de acceso: Acceso programático.
- Usuario: Ingresa
- Haz clic en Crear usuario.
- Adjunta la política de lectura mínima (personalizada): Usuarios > secops-reader > Permisos > Agregar permisos > Adjuntar políticas directamente > Crear política.
JSON:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": ["s3:GetObject"], "Resource": "arn:aws:s3:::github-audit-logs/*" }, { "Effect": "Allow", "Action": ["s3:ListBucket"], "Resource": "arn:aws:s3:::github-audit-logs" } ] }Name =
secops-reader-policy.Haz clic en Crear política > busca o selecciona > Siguiente > Agregar permisos.
Crea una clave de acceso para
secops-reader: Credenciales de seguridad > Claves de acceso > Crear clave de acceso > descarga el archivo.CSV(pegarás estos valores en el feed).
Configura un feed en Google SecOps para transferir registros de GitHub
- Ve a Configuración de SIEM > Feeds.
- Haz clic en + Agregar feed nuevo.
- En el campo Nombre del feed, ingresa un nombre para el feed (por ejemplo,
GitHub audit logs). - Selecciona Amazon S3 V2 como el Tipo de fuente.
- Selecciona GitHub como el Tipo de registro.
- Haz clic en Siguiente.
- Especifica valores para los siguientes parámetros de entrada:
- URI de S3:
s3://github-audit-logs/ - Opciones de borrado de la fuente: Selecciona la opción de borrado según tu preferencia.
- Antigüedad máxima del archivo: Incluye los archivos modificados en la cantidad de días especificada. El valor predeterminado es de 180 días.
- ID de clave de acceso: Clave de acceso del usuario con acceso al bucket de S3.
- Clave de acceso secreta: Clave secreta del usuario con acceso al bucket de S3.
- Espacio de nombres del recurso: Es el espacio de nombres del recurso.
- Etiquetas de transferencia: Es la etiqueta que se aplica a los eventos de este feed.
- URI de S3:
- Haz clic en Siguiente.
- Revisa la nueva configuración del feed en la pantalla Finalizar y, luego, haz clic en Enviar.
Tipos de eventos
En la siguiente tabla, se enumeran los tipos de eventos y las condiciones para cada uno de ellos:
| event_type | Condiciones |
|---|---|
NETWORK_CONNECTION |
[has_target] == "true" && [has_principal] == "true" |
PROCESS_LAUNCH |
[has_principal] == "true" && [has_target_process] == "true" |
STATUS_UPDATE |
[has_principal] == "true" |
USER_LOGIN |
[raw][message] =~ "Authentication success" or [message] =~ "Authentication success" && ([has_target]== "true" || [has_target_user] == "true") |
USER_RESOURCE_CREATION |
[has_target_resource] == "true" && [has_principal_userid] == "true" && [action] in ["personal_access_token.create" ,"repository_vulnerability_alert.create"] |
USER_RESOURCE_DELETION |
[has_target_resource] == "true" && [has_principal_user] == "true" && [action] in ["hook.destroy" ,"protected_branch.destroy" ,"public_key.delete"] |
USER_RESOURCE_DELETION |
[has_target_resource] == "true" && [has_principal_userid] == "true" && [action] in [ "hook.destroy" ,"protected_branch.destroy" ,"public_key.delete"] |
USER_RESOURCE_UPDATE_CONTENT |
[has_target_resource] == "true" && [has_principal_userid] == "true" && [action] in [ "pull_request.merge" , "hook.events_changed"] |
USER_RESOURCE_UPDATE_PERMISSIONS |
[has_target_resource] == "true" && [has_principal_userid] == "true" && [action] in ["repo.update_actions_secret","protected_branch.update_pull_request_reviews_enforcement_level", "org.update_member" ,"protected_branch.update_admin_enforced" ,"protected_branch.update_required_status_checks_enforcement_level","org.integration_manager_removed" ,"repo.update_member", "repo.add_member"] |
USER_UNCATEGORIZED |
[has_principal_userid] == "true" |
Tabla de asignación de UDM
| Campo de registro | Asignación de UDM | Comentarios |
|---|---|---|
above_lock_quota |
additional.fields |
|
above_warn_quota |
additional.fields |
|
ac_ms |
additional.fields |
|
accept |
additional.fields |
|
action |
metadata.product_event_type |
Para registros JSON |
action |
security_result.summary |
Son los registros de syslog. |
active |
target.resource.attribute.labels |
|
active_job_id |
additional.fields |
|
actor |
principal.user.userid |
|
actor_id |
principal.user.attribute.labels.value |
|
actor_ip |
principal.ip |
|
actor_is_agent |
additional.fields |
|
actor_is_bot |
principal.user.attribute.labels |
|
actor_location.country_code |
principal.location.country_or_region |
|
actor_session |
additional.fields |
|
additional_list |
additional.fields |
|
additional_string |
additional.fields |
|
after |
additional.fields |
|
alert_id |
security_result.detection_fields |
|
alert_number |
security_result.detection_fields |
|
alert_numbers |
additional.fields |
|
allow_deletions_enforcement_level |
additional.fields |
|
allow_force_pushes_enforcement_level |
additional.fields |
|
allow_private_repository_forking |
additional.fields |
|
application_name |
target.application |
|
aqueduct_job_id |
additional.fields |
|
auth_tries |
additional.fields |
|
babeld |
additional.fields |
|
banner |
additional.fields |
|
before |
additional.fields |
|
best_cipher |
additional.fields |
|
best_kex |
additional.fields |
|
best_mac |
additional.fields |
|
best_sigtype |
additional.fields |
|
Body |
security_result.description |
|
branch |
target.resource.attribute.labels |
|
branches |
target.resource.attribute.labels |
|
business |
additional.fields |
|
business_id |
additional.fields |
|
cactive |
additional.fields |
|
calling_workflow_refs |
target.resource.attribute.labels |
|
calling_workflow_shas |
target.resource.attribute.labels |
|
changes.body.from |
additional.fields |
|
charset |
additional.fields |
|
check_run.app |
additional.fields |
|
check_run.app.events |
additional.fields |
|
check_run.app.owner |
additional.fields |
|
check_run.check_suite.app.client_id |
additional.fields |
|
check_run.check_suite.app.created_at |
additional.fields |
|
check_run.check_suite.app.description |
additional.fields |
|
check_run.check_suite.app.events |
additional.fields |
|
check_run.check_suite.app.external_url |
additional.fields |
|
check_run.check_suite.app.html_url |
additional.fields |
|
check_run.check_suite.app.id |
additional.fields |
|
check_run.check_suite.app.name |
additional.fields |
|
check_run.check_suite.app.node_id |
additional.fields |
|
check_run.check_suite.app.slug |
additional.fields |
|
check_run.check_suite.app.updated_at |
additional.fields |
|
check_run.check_suite.conclusion |
additional.fields |
|
check_run.check_suite.id |
additional.fields |
|
check_run.check_suite.url |
additional.fields |
|
check_run.completed_at |
additional.fields |
|
check_run.conclusion |
additional.fields |
|
check_run.output |
additional.fields |
|
check_run.started_at |
additional.fields |
|
check_suite (todos sus subcampos) |
additional.fields |
|
check_suite.app (todos sus subcampos) |
additional.fields |
|
check_suite.app.events |
additional.fields |
|
check_suite.app.owner (todos sus subcampos) |
additional.fields |
|
check_suite.head_commit (todos sus subcampos) |
additional.fields |
|
cid |
additional.fields |
|
cipher |
network.tls.cipher |
|
client_id |
principal.user.attribute.labels |
|
cloning |
additional.fields |
|
code |
additional.fields |
|
CodeNamespace |
additional.fields |
|
comment (todos sus subcampos) |
additional.fields |
|
comment.performed_via_github_app (todos sus subcampos) |
additional.fields |
|
comment.performed_via_github_app.events |
additional.fields |
|
comment.reactions (todos sus subcampos) |
additional.fields |
|
commit.author |
principal.resource.attribute.labels |
|
commit.commit.author.date |
additional.fields |
|
commit.commit.author.email |
additional.fields |
|
commit.commit.author.name |
additional.fields |
|
commit.commit.tree.url |
additional.fields |
|
commit.commit.verification |
additional.fields |
|
commit.committer |
additional.fields |
|
commit.parents |
additional.fields |
|
commit.sha |
additional.fields |
|
commit.url |
additional.fields |
|
commit_oid |
additional.fields |
|
committer_date |
additional.fields |
|
completed_at |
vulns.vulnerabilities.scan_end_time |
|
config.content_typt |
target.resource.attribute.labels |
|
config.insecure_ssl |
target.resource.attribute.labels |
|
config.secret |
target.resource.attribute.labels |
|
config.url |
target.url |
|
considers.site.admin |
additional.fields |
|
content_type |
target.file.mime_type |
|
cr |
additional.fields |
|
create_protected |
additional.fields |
|
created_at |
metadata.event_timestamp |
El valor se convierte de milisegundos de UNIX a una marca de tiempo. |
credential |
detection_fields |
|
ctotal |
additional.fields |
|
data._document_id |
metadata.product_log_id |
|
data.active_job_id |
additional.fields |
|
data.aqueduct_job_id |
additional.fields |
|
data.business |
target.administrative_domain |
|
data.business_id |
additional.fields |
|
data.cancelled_at |
extensions.vulns.vulnerabilities.scan_end_time |
El valor se convierte del formato ISO8601 a una marca de tiempo. |
data.category_type |
security_result.category_details |
|
data.dn |
additional.fields |
|
data.email |
target.user.email_addresses |
|
data.entry_found |
additional.fields |
|
data.event |
target.resource.attribute.labels |
|
data.events |
security_result.about.labels.value |
|
data.head_branch |
target.resource.attribute.labels |
|
data.head_sha |
target.file.sha256 |
|
data.hook_id |
target.resource.product_object_id |
|
data.job |
target.application |
|
data.operation_type |
additional.fields |
|
data.started_at |
extensions.vulns.vulnerabilities.scan_start_time |
El valor se convierte del formato ISO8601 a una marca de tiempo. |
data.team |
target.group.group_display_name |
|
data.trigger_id |
target.resource.attribute.labels |
|
data.uid |
additional.fields |
|
data.workflow_id |
target.resource.attribute.labels |
|
data.workflow_run_id |
target.resource.attribute.labels |
|
default_new_repo_branch |
additional.fields |
|
default_repo_visibility |
additional.fields |
|
default_repository_permission |
additional.fields |
|
degraded |
additional.fields |
|
dependency_scope |
additional.fields |
|
deployment.environment |
additional.fields |
|
disable_members_can_create_repositories |
additional.fields |
|
disable_members_can_delete_repositories |
additional.fields |
|
disable_user_org_creation |
additional.fields |
|
disk_info |
additional.fields |
|
disk_py_file |
additional.fields |
|
dismiss_stale_reviews_on_push |
additional.fields |
|
dotcom_contributions |
additional.fields |
|
dotcom_user_license_usage_upload |
additional.fields |
|
duration_ms |
additional.fields |
|
ecosystem |
additional.fields |
|
enforcement_level |
additional.fields |
|
enterprise |
principal.resource.attribute.labels |
|
enterprise.name |
additional.fields.value.string_value |
|
environment_name |
target.resource.attribute.labels |
|
error |
additional.fields |
|
external_id |
additional.fields |
|
external_identity_nameid |
target.user.email_addresses |
Si el valor es una dirección de correo electrónico, se agrega al array target.user.email_addresses. |
external_identity_nameid |
target.user.userid |
|
external_identity_username |
additional.fields |
Se asigna a additional.fields cuando no se propaga en target.user.user_display_name. |
external_identity_username |
target.user.user_display_name |
Se asigna cuando se propaga en target.user.user_display_name. |
features |
additional.fields |
|
filtered |
additional.fields |
|
filtered_request_body.query |
additional.fields |
|
fluentbit_pod_name |
additional.fields |
|
fp_sha256 |
additional.fields |
|
frontend |
additional.fields |
|
frontend_pid |
intermediary.process.pid |
|
frontend_ppid |
intermediary.process.parent_process.pid |
|
fs_host |
target.hostname |
|
fsc_ms |
additional.fields |
|
fully_qualified_domain_name |
additional.fields |
|
gh.sdk.name |
additional.fields |
|
gh.sdk.version |
additional.fields |
|
gh.timerd.timer.name |
additional.fields |
|
ghsa_id |
additional.fields |
|
git.maxobjectsize |
additional.fields |
|
git_dir_safe |
target.resource.attribute.labels |
|
github_event_after |
target.resource.attribute.labels |
|
github_event_before |
target.resource.attribute.labels |
|
github_event_compare |
target.resource.attribute.labels |
|
github_event_created |
target.resource.attribute.labels |
|
github_event_deleted |
target.resource.attribute.labels |
|
github_event_forced |
target.resource.attribute.labels |
|
github_event_head_commit_author_email |
target.resource.attribute.labels |
|
github_event_head_commit_author_name |
target.resource.attribute.labels |
|
github_event_head_commit_author_username |
target.resource.attribute.labels |
|
github_event_head_commit_committer_email |
target.resource.attribute.labels |
|
github_event_head_commit_committer_name |
target.resource.attribute.labels |
|
github_event_head_commit_committer_username |
target.resource.attribute.labels |
|
github_event_head_commit_distinct |
target.resource.attribute.labels |
|
github_event_head_commit_msg1 |
target.resource.attribute.labels |
|
github_event_head_commit_timestamp |
target.resource.attribute.labels |
|
github_event_pusher_email |
target.resource.attribute.labels |
|
github_event_pusher_name |
target.resource.attribute.labels |
|
github_event_ref |
target.resource.attribute.labels |
|
github_event_repository_has_projects |
target.resource.attributes.labels |
|
github_event_repository_master_branch |
target.resource.attribute.labels |
|
github_event_repository_organization |
target.resource.attribute.labels |
|
github_event_repository_owner_name |
target.resource.attribute.labels |
|
github_event_repository_stargazers |
target.resource.attribute.labels |
|
github_event_workflow_job_completed_at |
target.resource.attributes.labels |
|
gpv |
additional.fields |
|
handler_code |
additional.fields |
|
hashed_token |
network.session_id |
|
head_branch |
target.resource.attribute.labels |
|
head_sha |
target.file.sha256 |
|
healthy |
additional.fields |
|
hmac |
additional.fields |
|
hook_id |
target.resource.attribute.labels |
|
host.name |
principal.user.attribute.labels |
|
http_version |
network.application_protocol_version |
|
id |
metadata.product_log_id |
|
ignore_approvals_from_contributors |
additional.fields |
|
imode |
additional.fields |
|
imperfect |
additional.fields |
|
InstrumentationScope |
additional.fields |
|
integration_id |
additional.fields |
|
intel.flat |
additional.fields |
|
is_hosted_runner |
target.resource.attribute.labels |
|
issue (todos sus subcampos) |
additional.fields |
|
issue.pull_request (todos sus subcampos) |
additional.fields |
|
job_name |
target.resource.attribute.labels.value |
|
job_workflow_ref |
target.resource.attribute.labels.value |
|
job_workflow_sha |
target.resource.attribute.labels.value |
|
kafka_cluster |
additional.fields |
|
kex |
additional.fields |
|
keytype |
additional.fields |
|
kubernetes.container_image |
principal.resource.attribute.labels |
|
kubernetes.container_name |
principal.resource.attribute.labels |
|
kubernetes.host |
principal.resource.attribute.labels |
|
kubernetes.labels.app |
principal.resource.attribute.labels |
|
kubernetes.labels.chart |
principal.resource.attribute.labels |
|
kubernetes.labels.component |
principal.resource.attribute.labels |
|
kubernetes.labels.heritage |
principal.resource.attribute.labels |
|
kubernetes.labels.pod-template-hash |
principal.resource.attribute.labels |
|
kubernetes.labels.release |
principal.resource.attribute.labels |
|
kubernetes.labels.system |
principal.resource.attribute.labels |
|
kubernetes.namespace_name |
principal.resource.attribute.labels |
|
kubernetes.pod_ip |
principal.ip, principal.asset.ip |
|
kubernetes.pod_name |
principal.resource.attribute.labels |
|
last_state_change_at |
additional.fields |
|
last_state_change_reason |
additional.fields |
|
lat |
principal.location.region_coordinates.latitude |
|
ldap.debug_logging_enabled |
additional.fields |
|
level |
security_result.severity |
|
lfs_auth_scope |
additional.fields |
|
lfs_deploy_key_header |
additional.fields |
|
lfs_verify_reason |
additional.fields |
|
linear_history_requirement_enforcement_level |
additional.fields |
|
lock_allows_fetch_and_merge |
additional.fields |
|
lock_branch_enforcement_level |
additional.fields |
|
log_level |
security_result.severity |
|
log_source |
additional.fields |
|
log_source_file |
target.file.full_path |
|
logData.Count |
additional.fields |
|
logData.Metrics.* |
additional.fields |
El asterisco (*) indica que se incluyen todos los subcampos. |
logType |
additional.fields |
|
lon |
principal.location.region_coordinates.longitude |
|
loop |
additional.fields |
|
matched_policies |
security_result.detection_fields |
|
member |
target.user.attribute.labels |
|
merge_queue_enforcement_level |
additional.fields |
|
method |
additional.fields |
|
multi_repo |
security_result.detection_fields |
|
mysql_component |
additional.fields |
|
mysql_warning_code |
additional.fields |
|
name |
target.resource.attribute.labels |
|
non_integer_id |
additional.fields |
|
ns |
additional.fields |
|
number |
additional.fields |
|
oauth_application |
principal.application |
|
oauth_application_id |
principal.resource.attribute.labels |
|
oauth_party |
additional.fields |
|
offset |
additional.fields |
|
old_permissions |
additional.fields |
|
old_repo_permissions |
additional.fields |
|
org |
target.administrative_domain |
|
org_id |
additional.fields.value.string_value |
|
organization.url |
additional.fields |
|
original_user_agent |
additional.fields |
|
overridden_codes |
additional.fields |
|
owner |
principal.user.user_display_name |
|
owner_id |
principal.user.userid |
|
package |
additional.fields |
|
package_name |
target.application |
|
parent |
additional.fields |
|
parent_installation_id |
additional.fields |
|
partition |
additional.fields |
|
path_info |
additional.fields |
Esta es la asignación cuando la ruta ya se está asignando a target.file.full_path. |
path_info |
target.file.full_path |
Esta es la asignación cuando la ruta aún no se asigna a target.file.full_path. |
pgroup |
additional.fields |
|
pk_ms |
additional.fields |
|
prin_ip |
principal.ip, principal.asset.ip |
|
prin_port |
principal.port |
|
prin_usr |
principal.user.userid |
|
pro_pid |
target.process.pid |
|
probe_fail |
additional.fields |
|
probe_ok |
additional.fields |
|
programmatic_access_type |
additional.fields.value.string_value |
|
pubkey_creator_id |
additional.fields |
|
pubkey_creator_login |
additional.fields |
|
pubkey_fingerprint |
additional.fields |
|
pubkey_id |
additional.fields |
|
pubkey_verifier_id |
additional.fields |
|
pubkey_verifier_login |
additional.fields |
|
public_repo |
additional.fields.value.string_value |
|
public_repo |
target.location.name |
|
publicly_leaked |
security_result.detection_fields |
|
pull_request.* |
additional.fields |
El asterisco (*) indica que se incluyen todos los subcampos. |
pull_request._links.comments.href |
additional.fields |
|
pull_request._links.commits.href |
additional.fields |
|
pull_request._links.html.href |
additional.fields |
|
pull_request._links.issue.href |
additional.fields |
|
pull_request._links.review_comment.href |
additional.fields |
|
pull_request._links.review_comments.href |
additional.fields |
|
pull_request._links.self.href |
additional.fields |
|
pull_request._links.statuses.href |
additional.fields |
|
pull_request.base.* |
additional.fields |
El asterisco (*) indica que se incluyen todos los subcampos. |
pull_request.base.repo.* |
additional.fields |
El asterisco (*) indica que se incluyen todos los subcampos. |
pull_request.base.repo.owner.* |
additional.fields |
El asterisco (*) indica que se incluyen todos los subcampos. |
pull_request.head.* |
additional.fields |
El asterisco (*) indica que se incluyen todos los subcampos. |
pull_request.head.owner.* |
additional.fields |
El asterisco (*) indica que se incluyen todos los subcampos. |
pull_request.head.repo.* |
additional.fields |
El asterisco (*) indica que se incluyen todos los subcampos. |
pull_request.head.user.* |
additional.fields |
El asterisco (*) indica que se incluyen todos los subcampos. |
pull_request.requested_reviewers.* |
additional.fields |
El asterisco (*) indica que se incluyen todos los subcampos. |
pull_request.requested_teams.* |
additional.fields |
El asterisco (*) indica que se incluyen todos los subcampos. |
pull_request.user. (y todos sus subcampos, excepto login) |
principal.user.attribute.labels |
|
pull_request.user.login |
principal.user.user_display_name |
|
pull_request_id |
target.resource.attribute.labels |
|
pull_request_title |
target.resource.attribute.labels |
|
query_string |
additional.fields.value.string_value |
|
queue_duration |
additional.fields |
|
quotas_enabled |
additional.fields |
|
rate_limit |
additional.fields |
|
rate_limit_family |
additional.fields |
|
rate_limit_key |
additional.fields |
|
rate_limit_remaining |
additional.fields.value.string_value |
|
rate_limit_reset |
additional.fields |
|
rate_limit_used |
additional.fields |
|
raw.at |
additional.fields |
|
raw.hashed_token |
network.session_id |
|
raw.token_type |
additional.fields |
|
raw.url |
target.url |
|
raw.user_agent |
network.http.user_agent, network.http.parsed_user_agent |
|
raw_login |
additional.fields |
|
read_only |
additional.fields |
|
readonly |
additional.fields |
|
reasons |
additional.fields |
|
ref |
target.resource.attribute.labels |
|
replicas |
additional.fields |
|
repo |
target.resource.name |
|
repo_id |
additional.fields.value.string_value |
|
repo_owner_login |
target.resource.attribute.labels |
|
repo_owner_type |
target.resource.attribute.labels |
|
repo_public |
additional.fields |
|
repository |
target.resource.attribute.labels |
|
repository.archive_url |
target.resource.attribute.labels |
|
repository.assignees_url |
target.resource.attribute.labels |
|
repository.blobs_url |
target.resource.attribute.labels |
|
repository.branches_url |
target.resource.attribute.labels |
|
repository.clone_url |
target.resource.attribute.labels |
|
repository.collaborators_url |
target.resource.attribute.labels |
|
repository.comments_url |
target.resource.attribute.labels |
|
repository.commits_url |
target.resource.attribute.labels |
|
repository.compare_url |
target.resource.attribute.labels |
|
repository.contents_url |
target.resource.attribute.labels |
|
repository.contributors_url |
target.resource.attribute.labels |
|
repository.created_at |
target.resource.attribute.labels |
|
repository.custom_properties. (y todos sus subcampos) |
target.resource.attribute.labels |
|
repository.deployments_url |
target.resource.attribute.labels |
|
repository.downloads_url |
target.resource.attribute.labels |
|
repository.events_url |
target.resource.attribute.labels |
|
repository.fork |
target.resource.attribute.labels |
|
repository.forks_url |
target.resource.attribute.labels |
|
repository.full_name |
target.resource.attribute.labels |
|
repository.git_commits_url |
target.resource.attribute.labels |
|
repository.git_refs_url |
target.resource.attribute.labels |
|
repository.git_tags_url |
target.resource.attribute.labels |
|
repository.git_url |
target.resource.attribute.labels |
|
repository.homepage |
target.resource.attributes.labels |
|
repository.hooks_url |
target.resource.attribute.labels |
|
repository.html_url |
target.resource.attribute.labels |
|
repository.id |
target.resource.attribute.labels |
|
repository.issue_comment_url |
target.resource.attribute.labels |
|
repository.issue_events_url |
target.resource.attribute.labels |
|
repository.issues_url |
target.resource.attribute.labels |
|
repository.keys_url |
target.resource.attribute.labels |
|
repository.labels_url |
target.resource.attribute.labels |
|
repository.languages_url |
target.resource.attribute.labels |
|
repository.license |
target.resource.attributes.labels |
|
repository.merges_url |
target.resource.attribute.labels |
|
repository.milestones_url |
target.resource.attribute.labels |
|
repository.mirror_url |
target.resource.attributes.labels |
|
repository.name |
target.resource.attribute.labels |
|
repository.node_id |
target.resource.attribute.labels |
|
repository.notifications_url |
target.resource.attribute.labels |
|
repository.open_issues_count |
target.resource.attribute.labels |
|
repository.owner.avatar_url |
target.resource.attribute.labels |
|
repository.owner.events_url |
target.resource.attribute.labels |
|
repository.owner.followers_url |
target.resource.attribute.labels |
|
repository.owner.following_url |
target.resource.attribute.labels |
|
repository.owner.gists_url |
target.resource.attribute.labels |
|
repository.owner.gravatar_id |
target.resource.attribute.labels |
|
repository.owner.html_url |
target.resource.attribute.labels |
|
repository.owner.id |
target.resource.attribute.labels |
|
repository.owner.node_id |
target.resource.attribute.labels |
|
repository.owner.organizations_url |
target.resource.attribute.labels |
|
repository.owner.received_events_url |
target.resource.attribute.labels |
|
repository.owner.repos_url |
target.resource.attribute.labels |
|
repository.owner.site_admin |
target.resource.attribute.labels |
|
repository.owner.starred_url |
target.resource.attribute.labels |
|
repository.owner.subscriptions_url |
target.resource.attribute.labels |
|
repository.owner.type |
target.resource.attribute.labels |
|
repository.owner.url |
target.resource.attribute.labels |
|
repository.owner.user_view_type |
target.resource.attribute.labels |
|
repository.private |
target.resource.attribute.labels |
|
repository.pulls_url |
target.resource.attribute.labels |
|
repository.pushed_at |
target.resource.attribute.labels |
|
repository.releases_url |
target.resource.attribute.labels |
|
repository.size |
target.resource.attribute.labels |
|
repository.ssh_url |
target.resource.attribute.labels |
|
repository.stargazers_url |
target.resource.attribute.labels |
|
repository.statuses_url |
target.resource.attribute.labels |
|
repository.subscribers_url |
target.resource.attribute.labels |
|
repository.subscription_url |
target.resource.attribute.labels |
|
repository.svn_url |
target.resource.attribute.labels |
|
repository.tags_url |
target.resource.attribute.labels |
|
repository.teams_url |
target.resource.attribute.labels |
|
repository.topics |
target.resource.attributes.labels |
|
repository.trees_url |
target.resource.attribute.labels |
|
repository.updated_at |
target.resource.attribute.labels |
|
repository.url |
target.resource.attribute.labels |
|
repository.visibility |
target.resource.attribute.labels |
|
repository_public |
target.resource.attribute.labels |
|
req_content_type |
target.file.mime_type |
|
request_access_security_header |
security_result.detection_fields |
|
request_auth |
additional.fields |
|
request_body |
additional.fields.value.string_value |
|
request_duration |
additional.fields |
|
request_host |
principal.ip, principal.asset.ip |
Cuando hay una dirección IP, la asignación es a principal.ip (se mantiene la asignación existente de principal.hostname). |
request_method |
network.http.method |
El valor se convierte en mayúsculas. |
requested_reviewers.* |
additional.fields |
El asterisco (*) indica que se incluyen todos los subcampos. |
require_code_owner_review |
additional.fields |
|
require_last_push_approval |
additional.fields |
|
required_approving_review_count |
additional.fields |
|
required_deployments_enforcement_level |
additional.fields |
|
required_review_thread_resolution_enforcement_level |
additional.fields |
|
rerun_type |
additional.fields |
|
res_type |
target.resource.resource_subtype |
|
response_time |
additional.fields |
|
review_id |
target.resource.attributes.labels |
|
route |
additional.fields.value.string_value |
|
rpc.jsonrpc.error_code |
network.http.response_code |
|
rpc.jsonrpc.error_message |
security_result.summary |
|
rule_suite_id |
security_result.rule_id |
|
run_attempt |
additional.fields |
|
run_number |
additional.fields |
|
runner_labels |
target.resource.attribute.labels |
|
runner_owner_type |
target.resource.attribute.labels |
|
runner_tenant_id |
target.resource.attribute.labels |
|
s3_tag |
additional.fields |
|
secret_type |
security_result.detection_fields |
|
secret_types |
security_result.detection_fields |
|
secrets_passed |
security_result.detection_fields |
|
sender.id |
src.user.product_object_id |
|
sender.login |
src.user.user_display_name |
|
sender.node_id |
src.asset_id |
|
sender.type |
src.user.title |
|
sender.url |
src.url |
|
service |
target.resource.name |
|
service.version |
additional.fields |
|
serviceName |
target.resource.name |
|
severity (si es alta) |
security_result.severity |
|
SeverityText |
security_result.severity |
|
shallow |
additional.fields |
|
sign_in_verification_method |
security_result.detection_fields |
|
signature_requirement_enforcement_level |
additional.fields |
|
sigtype |
additional.fields |
|
source |
src.resource.name |
|
spec |
additional.fields |
|
sr |
additional.fields |
|
ss |
additional.fields |
|
started_at |
vulns.vulnerabilities.scan_start_time |
|
stateless |
additional.fields |
|
status_code |
network.http.response_code |
|
strict_required_status_checks_policy |
additional.fields |
|
subject.business.id |
target.resource.attribute.labels |
|
subject.owner.id |
additional.fields |
|
subject.owning_organization.id |
principal.group.product_object_id |
|
subject.repository.id |
target.resource.product_object_id |
|
subject.repository.internal |
target.resource.attribute.labels |
|
subject.repository.owner.id |
additional.fields |
|
subject.repository.public |
target.resource.attribute.labels |
|
subject.repository.writable |
target.resource.attribute.labels |
|
subject.type |
target.resource.attribute.labels |
|
synthetic_status |
additional.fields |
|
tar_application |
target.application |
|
telemetry.sdk.name |
additional.fields |
|
tenant_id |
target.resource.attribute.labels |
|
tid |
additional.fields |
|
time |
metadata.event_timestamp |
|
time_duration_ms |
additional.fields |
|
time_zone |
additional.fields |
|
timestamp |
metadata.event_timestamp |
|
tls_version |
network.tls.version |
|
token_id |
additional.fields.value.string_value |
|
token_scopes |
additional.fields.value.string_value |
|
topic |
additional.fields |
|
total |
additional.fields |
|
transport_protocol |
additional.fields |
|
transport_protocol_name |
network.application_protocol |
El valor se convierte en mayúsculas. |
ts |
metadata.event_timestamp |
Cuando process_type es github_production |
TTY |
additional.fields |
|
twirp_method |
additional.fields |
|
twirp_package |
additional.fields |
|
twirp_service |
additional.fields |
|
twirp_status |
network.http.response_code |
|
two_factor_type |
security_result.detection_fields |
|
type |
additional.fields |
|
unavailable |
additional.fields |
|
updated_at |
metadata.collected_timestamp |
|
url_path |
target.url |
|
usage_metrics |
additional.fields |
|
user |
target.user.userid |
|
user.id |
target.user.attr.labels |
Cuando actor.id está presente. |
user.id |
target.user.userid |
Cuando actor.id no está presente. |
user_agent |
network.http.parsed_user_agent |
Se analiza el valor. |
user_agent |
network.http.user_agent |
|
user_id |
target.user.userid |
|
user_operator_mode |
additional.fields |
|
user_programmatic_access_id |
additional.fields |
|
user_renaming_enabled |
additional.fields |
|
user_spammy |
additional.fields |
|
version |
metadata.product_version |
Esta asignación incluye registros JSON. |
visibility |
additional.fields |
|
vk_ms |
additional.fields |
|
vulnerability_id |
additional.fields |
|
vulnerable_version_range_id |
additional.fields |
|
workflow |
target.resource.attributes.labels |
|
workflow.name |
target.resource.attribute.labels |
|
workflow_id |
target.resource.attribute.labels |
|
workflow_job.head_branch |
security_result.detection_fields |
|
workflow_job.name |
target.resource.attributes.labels |
|
workflow_job.workflow_name |
security_result.detection_fields |
|
workflow_run.actor. (y todos sus subcampos, excepto el campo login, que se incluye en cada subcampo) |
principal.user.attribute.labels |
|
workflow_run.actor.login |
principal.user.userid |
|
workflow_run.artifacts_url |
target.resource.attributes.labels |
|
workflow_run.cancel_url |
target.resource.attributes.labels |
|
workflow_run.check_suite_id |
additional.fields |
|
workflow_run.check_suite_node_id |
additional.fields |
|
workflow_run.check_suite_url |
target.resource.attributes.labels |
|
workflow_run.conclusion |
target.resource.attribute.labels |
|
workflow_run.created_at |
metadata.event_timestamp |
|
workflow_run.display_title |
target.resource.attribute.labels |
|
workflow_run.event |
additional.fields.value.string_value |
|
workflow_run.event |
target.resource.attribute.labels |
|
workflow_run.head_branch |
target.resource.attribute.labels |
|
workflow_run.head_commit |
target.resource.attributes.labels |
|
workflow_run.head_repository |
additional.fields |
|
workflow_run.head_sha |
target.file.sha256 |
|
workflow_run.html_url |
target.resource.attribute.labels |
|
workflow_run.id |
target.resource.attribute.labels.value |
|
workflow_run.jobs_url |
target.resource.attributes.labels |
|
workflow_run.logs_url |
target.resource.attributes.labels |
|
workflow_run.name |
target.resource.name |
|
workflow_run.node_id |
target.resource.product_object_id |
|
workflow_run.path |
target.resource.attribute.labels |
|
workflow_run.previous_attempt_url |
target.resource.attributes.labels |
|
workflow_run.pull_requests |
about.resource.attribute.labels |
|
workflow_run.repository |
additional.fields |
|
workflow_run.rerun_url |
target.resource.attributes.labels |
|
workflow_run.run_attempt |
target.resource.attribute.labels |
|
workflow_run.run_number |
target.resource.attribute.labels |
|
workflow_run.run_started_at |
target.resource.attribute.labels |
|
workflow_run.status |
security_result.description |
|
workflow_run.triggering_actor |
additional.fields |
|
workflow_run.updated_at |
metadata.collected_timestamp |
|
workflow_run.url |
target.url |
|
workflow_run.workflow_id |
security_result.about.labels.value |
|
workflow_run.workflow_id |
target.resource.attribute.labels |
|
workflow_run.workflow_url |
target.resource.attributes.labels |
Referencia de deltas de versiones
El 8 de enero de 2026, Google SecOps lanzó una nueva versión del analizador de GitHub, que incluye cambios significativos.
Delta de asignación de campos de registro
En la siguiente tabla, se muestra el delta de asignación para los campos de registro de GitHub a UDM expuestos antes del 8 de enero de 2026 y posteriormente (se enumeran en las columnas Asignación anterior y Asignación actual, respectivamente):
| Campo de registro | Asignación anterior | Asignación actual |
|---|---|---|
action (para registros JSON) |
metadata.product_event_type, security_result.summary,security_result.detection_fields |
metadata.product_event_type |
action (para registros de syslog) |
additional.fields, security_result.summary |
security_result.summary |
business |
additional.fields, target.user.company_name |
additional.fields |
business_id |
target.resource.attribute.labels |
additional.fields |
data.email |
target.email |
target.user.email_addresses |
data.event |
security_result.about.labels |
target.resource.attribute.labels |
data.head_branch |
security_result.about.labels |
target.resource.attribute.labels |
data.hook_id |
target.resource.attribute.labels |
target.resource.product_object_id |
data.team |
target.user.group_identifiers |
target.group.group_display_name |
data.trigger_id |
security_result.about.labels |
target.resource.attribute.labels |
data.workflow_id |
security_result.about.labels |
target.resource.attribute.labels |
data.workflow_run_id |
security_result.about.labels |
target.resource.attribute.labels |
hashed_token |
additional.fields |
network.session_id |
hook_id (para registros JSON) |
additional.fields |
target.resource.attribute.labels |
name |
additional.fields |
target.resource.attribute.labels |
oauth_application_id |
additional.fields |
principal.resource.attribute.labels |
pull_request_id |
additional.fields |
target.resource.attribute.labels |
pull_request_title |
additional.fields |
target.resource.attribute.labels |
repository.archive_url |
additional.fields |
target.resource.attribute.labels |
repository.assignees_url |
additional.fields |
target.resource.attribute.labels |
repository.blobs_url |
additional.fields |
target.resource.attribute.labels |
repository.branches_url |
additional.fields |
target.resource.attribute.labels |
repository.clone_url |
additional.fields |
target.resource.attribute.labels |
repository.collaborators_url |
additional.fields |
target.resource.attribute.labels |
repository.comments_url |
additional.fields |
target.resource.attribute.labels |
repository.commits_url |
additional.fields |
target.resource.attribute.labels |
repository.compare_url |
additional.fields |
target.resource.attribute.labels |
repository.contents_url |
additional.fields |
target.resource.attribute.labels |
repository.contributors_url |
additional.fields |
target.resource.attribute.labels |
repository.created_at |
additional.fields |
target.resource.attribute.labels |
repository.deployments_url |
additional.fields |
target.resource.attribute.labels |
repository.downloads_url |
additional.fields |
target.resource.attribute.labels |
repository.events_url |
additional.fields |
target.resource.attribute.labels |
repository.fork |
additional.fields |
target.resource.attribute.labels |
repository.forks_url |
additional.fields |
target.resource.attribute.labels |
repository.full_name |
additional.fields |
target.resource.attribute.labels |
repository.git_commits_url |
additional.fields |
target.resource.attribute.labels |
repository.git_refs_url |
additional.fields |
target.resource.attribute.labels |
repository.git_tags_url |
additional.fields |
target.resource.attribute.labels |
repository.git_url |
additional.fields |
target.resource.attribute.labels |
repository.hooks_url |
additional.fields |
target.resource.attribute.labels |
repository.html_url |
additional.fields |
target.resource.attribute.labels |
repository.id |
additional |
target.resource.attribute.labels |
repository.issue_comment_url |
additional.fields |
target.resource.attribute.labels |
repository.issue_events_url |
additional.fields |
target.resource.attribute.labels |
repository.issues_url |
additional.fields |
target.resource.attribute.labels |
repository.keys_url |
additional.fields |
target.resource.attribute.labels |
repository.labels_url |
additional.fields |
target.resource.attribute.labels |
repository.languages_url |
additional.fields |
target.resource.attribute.labels |
repository.merges_url |
additional.fields |
target.resource.attribute.labels |
repository.milestones_url |
additional.fields |
target.resource.attribute.labels |
repository.name |
additional.fields |
target.resource.attribute.labels |
repository.node_id |
additional.fields |
target.resource.attribute.labels |
repository.notifications_url |
additional.fields |
target.resource.attribute.labels |
repository.owner.avatar_url |
additional.fields |
target.resource.attribute.labels |
repository.owner.events_url |
additional.fields |
target.resource.attribute.labels |
repository.owner.followers_url |
additional.fields |
target.resource.attribute.labels |
repository.owner.following_url |
additional.fields |
target.resource.attribute.labels |
repository.owner.gists_url |
additional.fields |
target.resource.attribute.labels |
repository.owner.gravatar_id |
additional.fields |
target.resource.attribute.labels |
repository.owner.html_url |
additional.fields |
target.resource.attribute.labels |
repository.owner.id |
additional.fields |
target.resource.attribute.labels |
repository.owner.node_id |
additional.fields |
target.resource.attribute.labels |
repository.owner.organizations_url |
additional.fields |
target.resource.attribute.labels |
repository.owner.received_events_url |
additional.fields |
target.resource.attribute.labels |
repository.owner.repos_url |
additional.fields |
target.resource.attribute.labels |
repository.owner.site_admin |
additional.fields |
target.resource.attribute.labels |
repository.owner.starred_url |
additional.fields |
target.resource.attribute.labels |
repository.owner.subscriptions_url |
additional.fields |
target.resource.attribute.labels |
repository.owner.type |
additional.fields |
target.resource.attribute.labels |
repository.owner.url |
additional.fields |
target.resource.attribute.labels |
repository.owner.user_view_type |
additional.fields |
target.resource.attribute.labels |
repository.private |
additional.fields |
target.resource.attribute.labels |
repository.pulls_url |
additional.fields |
target.resource.attribute.labels |
repository.pushed_at |
additional.fields |
target.resource.attribute.labels |
repository.releases_url |
additional.fields |
target.resource.attribute.labels |
repository.size |
additional.fields |
target.resource.attribute.labels |
repository.ssh_url |
additional.fields |
target.resource.attribute.labels |
repository.stargazers_url |
additional.fields |
target.resource.attribute.labels |
repository.statuses_url |
additional.fields |
target.resource.attribute.labels |
repository.subscribers_url |
additional.fields |
target.resource.attribute.labels |
repository.subscription_url |
additional.fields |
target.resource.attribute.labels |
repository.svn_url |
additional.fields |
target.resource.attribute.labels |
repository.tags_url |
additional.fields |
target.resource.attribute.labels |
repository.teams_url |
additional.fields |
target.resource.attribute.labels |
repository.trees_url |
additional.fields |
target.resource.attribute.labels |
repository.updated_at |
additional.fields |
target.resource.attribute.labels |
repository.url |
additional.fields |
target.resource.attribute.labels |
repository.visibility |
additional.fields |
target.resource.attribute.labels |
repository_public |
additional.fields |
target.resource.attribute.labels |
res_type |
target.resource.type |
target.resource.resource_subtype |
sender.id |
src.user.product_object_id, additional.fields |
src.user.product_object_id |
sender.login |
additional.fields, src.user.user_display_name |
src.user.user_display_name |
sender.node_id |
src.asset_id, additional.fields |
src.asset_id |
sender.type |
src.user.title, additional.fields |
src.user.title |
sender.url |
src.url, additional.fields |
src.url |
workflow.name |
security_result.about.labels |
target.resource.attribute.labels |
workflow_job.head_branch |
security_result.about.labels |
security_result.detection_fields |
workflow_job.workflow_name |
security_result.about.labels |
security_result.detection_fields |
workflow_run.event |
additional.fields |
target.resource.attribute.labels |
workflow_run.head_branch |
security_result.about.labels |
target.resource.attribute.labels |
workflow_run.workflow_id |
security_result.about.labels |
target.resource.attribute.labels |
Delta de las condiciones del tipo de evento
Las condiciones que determinan los tipos de eventos de Google SecOps cambiaron en la versión del 8 de enero de 2026.
En la siguiente tabla, se enumeran los tipos de eventos y las condiciones actuales (es decir, las condiciones eran diferentes antes del lanzamiento del 8 de enero de 2026):
| event_type | Condiciones |
|---|---|
NETWORK_CONNECTION |
[has_target] == "true" && [has_principal] == "true" |
STATUS_UPDATE |
[has_principal] == "true" |
USER_RESOURCE_DELETION |
[has_target_resource] == "true" && [has_principal_user] == "true" && [action] in ["hook.destroy" ,"protected_branch.destroy" ,"public_key.delete"] |
USER_RESOURCE_UPDATE_CONTENT |
[has_target_resource] == "true" && [has_principal_userid] == "true" && [action] in [ "pull_request.merge" , "hook.events_changed"] |
USER_RESOURCE_UPDATE_PERMISSIONS |
[has_target_resource] == "true" && [has_principal_userid] == "true" && [action] in ["repo.update_actions_secret","protected_branch.update_pull_request_reviews_enforcement_level", "org.update_member" ,"protected_branch.update_admin_enforced" ,"protected_branch.update_required_status_checks_enforcement_level","org.integration_manager_removed" ,"repo.update_member", "repo.add_member"] |
Delta de asignación de teclas
En la siguiente tabla, se muestra el delta de asignación para las claves en los campos de registro sin procesar y las claves en los campos del UDM expuestos antes del 8 de enero de 2026 y posteriormente (se enumeran en las columnas Clave anterior y Clave actual, respectivamente):
| Clave en el registro sin procesar | Clave anterior | Llave actual |
|---|---|---|
alert.secret_type_display_name |
secret_type_display_name |
alert_secret_type_display_name |
enterprise.name |
Enterprise Name |
enterprise_name |
hook_id |
Hook Id |
Hook_Id |
invitation.failed_at |
failed_at |
invitation_failed_at |
invitation.failed_reason |
failed_reason |
invitation_failed_reason |
invitation.invitation_source |
invitation_source |
invitation_invitation_source |
raw.failure_reason |
failure_reason |
raw_failure_reason |
raw.failure_type |
failure_type |
raw_failure_type |
raw.from |
from |
raw_from |
workflow_run.event |
event |
workflow_run_event |
workflow_run.head_branch |
Head Branch |
Head_Branch |
workflow_run.id |
workflow_run_id |
workflow_Run_id |
workflow_run.workflow_id |
Workflow Id |
Workflow_Id |
¿Necesitas más ayuda? Obtén respuestas de miembros de la comunidad y profesionales de Google SecOps.