Recolha registos de auditoria do GitHub
Suportado em:
Google secops
SIEM
Este documento explica como carregar registos de auditoria do GitHub para o Google Security Operations através do Amazon S3. O analisador tenta extrair dados do campo "message" usando vários padrões grok, processando formatos JSON e não JSON. Com base no "process_type" extraído, aplica uma lógica de análise específica através de grok, kv e outros filtros para mapear os dados de registo não processados no esquema do modelo de dados unificado (UDM).
Antes de começar
Certifique-se de que cumpre os seguintes pré-requisitos:
- Instância do Google SecOps.
- Acesso privilegiado ao inquilino do GitHub Enterprise Cloud com permissões de proprietário da empresa.
- Acesso privilegiado à AWS (S3, IAM).
Recolha os pré-requisitos do GitHub Enterprise Cloud (acesso empresarial)
- Inicie sessão na consola do administrador do GitHub Enterprise Cloud.
- Aceda a Definições empresariais > Definições > Registo de auditoria > Streaming de registos.
- Certifique-se de que tem autorizações de proprietário empresarial para configurar o streaming de registos de auditoria.
- Copie e guarde numa localização segura os seguintes detalhes:
- Nome da empresa do GitHub
- Nomes das organizações na empresa
Configure o contentor do AWS S3 e a gestão de identidade e de acesso para o Google SecOps
- Crie um contentor do Amazon S3 seguindo este manual do utilizador: Criar um contentor
- Guarde o nome e a região do contentor para referência futura (por exemplo,
github-audit-logs). - Crie um utilizador seguindo este guia do utilizador: criar um utilizador do IAM.
- Selecione o utilizador criado.
- Selecione o separador Credenciais de segurança.
- Clique em Criar chave de acesso na secção Chaves de acesso.
- Selecione Serviço de terceiros como Exemplo de utilização.
- Clicar em Seguinte.
- Opcional: adicione uma etiqueta de descrição.
- Clique em Criar chave de acesso.
- Clique em Transferir ficheiro .CSV para guardar a chave de acesso e a chave de acesso secreta para referência futura.
- Clique em Concluído.
Configure a política IAM para o streaming do GitHub S3
- Na consola da AWS, aceda a IAM > Políticas > Criar política > separador JSON.
- Copie e cole a seguinte política.
JSON da política (substitua
github-audit-logsse tiver introduzido um nome de contentor diferente):{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowPutObjects", "Effect": "Allow", "Action": "s3:PutObject", "Resource": "arn:aws:s3:::github-audit-logs/*" } ] }Clique em Seguinte > Criar política.
Dê um nome à política
GitHubAuditStreamingPolicye clique em Criar política.Volte ao utilizador do IAM criado anteriormente.
Selecione o separador Autorizações.
Clique em Adicionar autorizações > Anexar políticas diretamente.
Pesquise e selecione
GitHubAuditStreamingPolicy.Clique em Seguinte > Adicionar autorizações.
Configure o streaming do registo de auditoria do GitHub Enterprise Cloud
- Inicie sessão no GitHub Enterprise Cloud como proprietário da empresa.
- Clique na sua foto do perfil e, de seguida, em Definições empresariais.
- Na barra lateral da conta empresarial, clique em Definições > Registo de auditoria > Streaming de registos.
- Selecione Configurar stream e clique em Amazon S3.
- Em Autenticação, clique em Chaves de acesso.
- Forneça os seguintes detalhes de configuração:
- Região: selecione a região do contentor (por exemplo,
us-east-1). - Segmento: escreva o nome do segmento para o qual quer fazer streaming (por exemplo,
github-audit-logs). - ID da chave de acesso: introduza o ID da chave de acesso do utilizador do IAM.
- Chave secreta: introduza a chave secreta do utilizador do IAM.
- Região: selecione a região do contentor (por exemplo,
- Clique em Verificar ponto final para verificar se o GitHub consegue estabelecer ligação e escrever no ponto final do Amazon S3.
- Depois de validar o ponto final com êxito, clique em Guardar.
Crie um utilizador e chaves da IAM só de leitura para o Google SecOps
- Aceda a AWS Console > IAM > Users > Add users.
- Clique em Adicionar utilizadores.
- Forneça os seguintes detalhes de configuração:
- Utilizador: introduza
secops-reader. - Tipo de acesso: selecione Chave de acesso – Acesso programático.
- Utilizador: introduza
- Clique em Criar utilizador.
- Anexe a política de leitura mínima (personalizada): Users > secops-reader > Permissions > Add permissions > Attach policies directly > Create policy.
JSON:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": ["s3:GetObject"], "Resource": "arn:aws:s3:::github-audit-logs/*" }, { "Effect": "Allow", "Action": ["s3:ListBucket"], "Resource": "arn:aws:s3:::github-audit-logs" } ] }Nome =
secops-reader-policy.Clique em Criar política > procure/selecione > Seguinte > Adicionar autorizações.
Crie uma chave de acesso para
secops-reader: Credenciais de segurança > Chaves de acesso > Criar chave de acesso > transfira o ficheiro.CSV(vai colar estes valores no feed).
Configure um feed no Google SecOps para carregar registos do GitHub
- Aceda a Definições do SIEM > Feeds.
- Clique em + Adicionar novo feed.
- No campo Nome do feed, introduza um nome para o feed (por exemplo,
GitHub audit logs). - Selecione Amazon S3 V2 como o Tipo de origem.
- Selecione GitHub como o Tipo de registo.
- Clicar em Seguinte.
- Especifique valores para os seguintes parâmetros de entrada:
- URI do S3:
s3://github-audit-logs/ - Opções de eliminação de origens: selecione a opção de eliminação de acordo com a sua preferência.
- Idade máxima do ficheiro: inclua ficheiros modificados no último número de dias. A predefinição é 180 dias.
- ID da chave de acesso: chave de acesso do utilizador com acesso ao contentor do S3.
- Chave de acesso secreta: chave secreta do utilizador com acesso ao contentor do S3.
- Espaço de nomes do recurso: o espaço de nomes do recurso.
- Etiquetas de carregamento: a etiqueta aplicada aos eventos deste feed.
- URI do S3:
- Clicar em Seguinte.
- Reveja a nova configuração do feed no ecrã Finalizar e, de seguida, clique em Enviar.
Tipos de eventos
A tabela seguinte lista os tipos de eventos e as condições para os tipos de eventos:
| event_type | Condições |
|---|---|
NETWORK_CONNECTION |
[has_target] == "true" && [has_principal] == "true" |
PROCESS_LAUNCH |
[has_principal] == "true" && [has_target_process] == "true" |
STATUS_UPDATE |
[has_principal] == "true" |
USER_LOGIN |
[raw][message] =~ "Authentication success" or [message] =~ "Authentication success" && ([has_target]== "true" || [has_target_user] == "true") |
USER_RESOURCE_CREATION |
[has_target_resource] == "true" && [has_principal_userid] == "true" && [action] in ["personal_access_token.create" ,"repository_vulnerability_alert.create"] |
USER_RESOURCE_DELETION |
[has_target_resource] == "true" && [has_principal_user] == "true" && [action] in ["hook.destroy" ,"protected_branch.destroy" ,"public_key.delete"] |
USER_RESOURCE_DELETION |
[has_target_resource] == "true" && [has_principal_userid] == "true" && [action] in [ "hook.destroy" ,"protected_branch.destroy" ,"public_key.delete"] |
USER_RESOURCE_UPDATE_CONTENT |
[has_target_resource] == "true" && [has_principal_userid] == "true" && [action] in [ "pull_request.merge" , "hook.events_changed"] |
USER_RESOURCE_UPDATE_PERMISSIONS |
[has_target_resource] == "true" && [has_principal_userid] == "true" && [action] in ["repo.update_actions_secret","protected_branch.update_pull_request_reviews_enforcement_level", "org.update_member" ,"protected_branch.update_admin_enforced" ,"protected_branch.update_required_status_checks_enforcement_level","org.integration_manager_removed" ,"repo.update_member", "repo.add_member"] |
USER_UNCATEGORIZED |
[has_principal_userid] == "true" |
Tabela de mapeamento da UDM
| Campo de registo | Mapeamento do UDM | Observações |
|---|---|---|
above_lock_quota |
additional.fields |
|
above_warn_quota |
additional.fields |
|
ac_ms |
additional.fields |
|
accept |
additional.fields |
|
action |
metadata.product_event_type |
Para registos JSON. |
action |
security_result.summary |
Para registos Syslog. |
active |
target.resource.attribute.labels |
|
active_job_id |
additional.fields |
|
actor |
principal.user.userid |
|
actor_id |
principal.user.attribute.labels.value |
|
actor_ip |
principal.ip |
|
actor_is_agent |
additional.fields |
|
actor_is_bot |
principal.user.attribute.labels |
|
actor_location.country_code |
principal.location.country_or_region |
|
actor_session |
additional.fields |
|
additional_list |
additional.fields |
|
additional_string |
additional.fields |
|
after |
additional.fields |
|
alert_id |
security_result.detection_fields |
|
alert_number |
security_result.detection_fields |
|
alert_numbers |
additional.fields |
|
allow_deletions_enforcement_level |
additional.fields |
|
allow_force_pushes_enforcement_level |
additional.fields |
|
allow_private_repository_forking |
additional.fields |
|
application_name |
target.application |
|
aqueduct_job_id |
additional.fields |
|
auth_tries |
additional.fields |
|
babeld |
additional.fields |
|
banner |
additional.fields |
|
before |
additional.fields |
|
best_cipher |
additional.fields |
|
best_kex |
additional.fields |
|
best_mac |
additional.fields |
|
best_sigtype |
additional.fields |
|
Body |
security_result.description |
|
branch |
target.resource.attribute.labels |
|
branches |
target.resource.attribute.labels |
|
business |
additional.fields |
|
business_id |
additional.fields |
|
cactive |
additional.fields |
|
calling_workflow_refs |
target.resource.attribute.labels |
|
calling_workflow_shas |
target.resource.attribute.labels |
|
changes.body.from |
additional.fields |
|
charset |
additional.fields |
|
check_run.app |
additional.fields |
|
check_run.app.events |
additional.fields |
|
check_run.app.owner |
additional.fields |
|
check_run.check_suite.app.client_id |
additional.fields |
|
check_run.check_suite.app.created_at |
additional.fields |
|
check_run.check_suite.app.description |
additional.fields |
|
check_run.check_suite.app.events |
additional.fields |
|
check_run.check_suite.app.external_url |
additional.fields |
|
check_run.check_suite.app.html_url |
additional.fields |
|
check_run.check_suite.app.id |
additional.fields |
|
check_run.check_suite.app.name |
additional.fields |
|
check_run.check_suite.app.node_id |
additional.fields |
|
check_run.check_suite.app.slug |
additional.fields |
|
check_run.check_suite.app.updated_at |
additional.fields |
|
check_run.check_suite.conclusion |
additional.fields |
|
check_run.check_suite.id |
additional.fields |
|
check_run.check_suite.url |
additional.fields |
|
check_run.completed_at |
additional.fields |
|
check_run.conclusion |
additional.fields |
|
check_run.output |
additional.fields |
|
check_run.started_at |
additional.fields |
|
check_suite (todos os respetivos subcampos) |
additional.fields |
|
check_suite.app (todos os respetivos subcampos) |
additional.fields |
|
check_suite.app.events |
additional.fields |
|
check_suite.app.owner (todos os respetivos subcampos) |
additional.fields |
|
check_suite.head_commit (todos os respetivos subcampos) |
additional.fields |
|
cid |
additional.fields |
|
cipher |
network.tls.cipher |
|
client_id |
principal.user.attribute.labels |
|
cloning |
additional.fields |
|
code |
additional.fields |
|
CodeNamespace |
additional.fields |
|
comment (todos os respetivos subcampos) |
additional.fields |
|
comment.performed_via_github_app (todos os respetivos subcampos) |
additional.fields |
|
comment.performed_via_github_app.events |
additional.fields |
|
comment.reactions (todos os respetivos subcampos) |
additional.fields |
|
commit.author |
principal.resource.attribute.labels |
|
commit.commit.author.date |
additional.fields |
|
commit.commit.author.email |
additional.fields |
|
commit.commit.author.name |
additional.fields |
|
commit.commit.tree.url |
additional.fields |
|
commit.commit.verification |
additional.fields |
|
commit.committer |
additional.fields |
|
commit.parents |
additional.fields |
|
commit.sha |
additional.fields |
|
commit.url |
additional.fields |
|
commit_oid |
additional.fields |
|
committer_date |
additional.fields |
|
completed_at |
vulns.vulnerabilities.scan_end_time |
|
config.content_typt |
target.resource.attribute.labels |
|
config.insecure_ssl |
target.resource.attribute.labels |
|
config.secret |
target.resource.attribute.labels |
|
config.url |
target.url |
|
considers.site.admin |
additional.fields |
|
content_type |
target.file.mime_type |
|
cr |
additional.fields |
|
create_protected |
additional.fields |
|
created_at |
metadata.event_timestamp |
O valor é convertido de milissegundos UNIX numa indicação de tempo. |
credential |
detection_fields |
|
ctotal |
additional.fields |
|
data._document_id |
metadata.product_log_id |
|
data.active_job_id |
additional.fields |
|
data.aqueduct_job_id |
additional.fields |
|
data.business |
target.administrative_domain |
|
data.business_id |
additional.fields |
|
data.cancelled_at |
extensions.vulns.vulnerabilities.scan_end_time |
O valor é convertido do formato ISO8601 para uma indicação de tempo. |
data.category_type |
security_result.category_details |
|
data.dn |
additional.fields |
|
data.email |
target.user.email_addresses |
|
data.entry_found |
additional.fields |
|
data.event |
target.resource.attribute.labels |
|
data.events |
security_result.about.labels.value |
|
data.head_branch |
target.resource.attribute.labels |
|
data.head_sha |
target.file.sha256 |
|
data.hook_id |
target.resource.product_object_id |
|
data.job |
target.application |
|
data.operation_type |
additional.fields |
|
data.started_at |
extensions.vulns.vulnerabilities.scan_start_time |
O valor é convertido do formato ISO8601 para uma indicação de tempo. |
data.team |
target.group.group_display_name |
|
data.trigger_id |
target.resource.attribute.labels |
|
data.uid |
additional.fields |
|
data.workflow_id |
target.resource.attribute.labels |
|
data.workflow_run_id |
target.resource.attribute.labels |
|
default_new_repo_branch |
additional.fields |
|
default_repo_visibility |
additional.fields |
|
default_repository_permission |
additional.fields |
|
degraded |
additional.fields |
|
dependency_scope |
additional.fields |
|
deployment.environment |
additional.fields |
|
disable_members_can_create_repositories |
additional.fields |
|
disable_members_can_delete_repositories |
additional.fields |
|
disable_user_org_creation |
additional.fields |
|
disk_info |
additional.fields |
|
disk_py_file |
additional.fields |
|
dismiss_stale_reviews_on_push |
additional.fields |
|
dotcom_contributions |
additional.fields |
|
dotcom_user_license_usage_upload |
additional.fields |
|
duration_ms |
additional.fields |
|
ecosystem |
additional.fields |
|
enforcement_level |
additional.fields |
|
enterprise |
principal.resource.attribute.labels |
|
enterprise.name |
additional.fields.value.string_value |
|
environment_name |
target.resource.attribute.labels |
|
error |
additional.fields |
|
external_id |
additional.fields |
|
external_identity_nameid |
target.user.email_addresses |
Se o valor for um endereço de email, é adicionado à matriz target.user.email_addresses. |
external_identity_nameid |
target.user.userid |
|
external_identity_username |
additional.fields |
Mapeado para additional.fields quando não está preenchido em target.user.user_display_name. |
external_identity_username |
target.user.user_display_name |
Mapeado quando é preenchido em target.user.user_display_name. |
features |
additional.fields |
|
filtered |
additional.fields |
|
filtered_request_body.query |
additional.fields |
|
fluentbit_pod_name |
additional.fields |
|
fp_sha256 |
additional.fields |
|
frontend |
additional.fields |
|
frontend_pid |
intermediary.process.pid |
|
frontend_ppid |
intermediary.process.parent_process.pid |
|
fs_host |
target.hostname |
|
fsc_ms |
additional.fields |
|
fully_qualified_domain_name |
additional.fields |
|
gh.sdk.name |
additional.fields |
|
gh.sdk.version |
additional.fields |
|
gh.timerd.timer.name |
additional.fields |
|
ghsa_id |
additional.fields |
|
git.maxobjectsize |
additional.fields |
|
git_dir_safe |
target.resource.attribute.labels |
|
github_event_after |
target.resource.attribute.labels |
|
github_event_before |
target.resource.attribute.labels |
|
github_event_compare |
target.resource.attribute.labels |
|
github_event_created |
target.resource.attribute.labels |
|
github_event_deleted |
target.resource.attribute.labels |
|
github_event_forced |
target.resource.attribute.labels |
|
github_event_head_commit_author_email |
target.resource.attribute.labels |
|
github_event_head_commit_author_name |
target.resource.attribute.labels |
|
github_event_head_commit_author_username |
target.resource.attribute.labels |
|
github_event_head_commit_committer_email |
target.resource.attribute.labels |
|
github_event_head_commit_committer_name |
target.resource.attribute.labels |
|
github_event_head_commit_committer_username |
target.resource.attribute.labels |
|
github_event_head_commit_distinct |
target.resource.attribute.labels |
|
github_event_head_commit_msg1 |
target.resource.attribute.labels |
|
github_event_head_commit_timestamp |
target.resource.attribute.labels |
|
github_event_pusher_email |
target.resource.attribute.labels |
|
github_event_pusher_name |
target.resource.attribute.labels |
|
github_event_ref |
target.resource.attribute.labels |
|
github_event_repository_has_projects |
target.resource.attributes.labels |
|
github_event_repository_master_branch |
target.resource.attribute.labels |
|
github_event_repository_organization |
target.resource.attribute.labels |
|
github_event_repository_owner_name |
target.resource.attribute.labels |
|
github_event_repository_stargazers |
target.resource.attribute.labels |
|
github_event_workflow_job_completed_at |
target.resource.attributes.labels |
|
gpv |
additional.fields |
|
handler_code |
additional.fields |
|
hashed_token |
network.session_id |
|
head_branch |
target.resource.attribute.labels |
|
head_sha |
target.file.sha256 |
|
healthy |
additional.fields |
|
hmac |
additional.fields |
|
hook_id |
target.resource.attribute.labels |
|
host.name |
principal.user.attribute.labels |
|
http_version |
network.application_protocol_version |
|
id |
metadata.product_log_id |
|
ignore_approvals_from_contributors |
additional.fields |
|
imode |
additional.fields |
|
imperfect |
additional.fields |
|
InstrumentationScope |
additional.fields |
|
integration_id |
additional.fields |
|
intel.flat |
additional.fields |
|
is_hosted_runner |
target.resource.attribute.labels |
|
issue (todos os respetivos subcampos) |
additional.fields |
|
issue.pull_request (todos os respetivos subcampos) |
additional.fields |
|
job_name |
target.resource.attribute.labels.value |
|
job_workflow_ref |
target.resource.attribute.labels.value |
|
job_workflow_sha |
target.resource.attribute.labels.value |
|
kafka_cluster |
additional.fields |
|
kex |
additional.fields |
|
keytype |
additional.fields |
|
kubernetes.container_image |
principal.resource.attribute.labels |
|
kubernetes.container_name |
principal.resource.attribute.labels |
|
kubernetes.host |
principal.resource.attribute.labels |
|
kubernetes.labels.app |
principal.resource.attribute.labels |
|
kubernetes.labels.chart |
principal.resource.attribute.labels |
|
kubernetes.labels.component |
principal.resource.attribute.labels |
|
kubernetes.labels.heritage |
principal.resource.attribute.labels |
|
kubernetes.labels.pod-template-hash |
principal.resource.attribute.labels |
|
kubernetes.labels.release |
principal.resource.attribute.labels |
|
kubernetes.labels.system |
principal.resource.attribute.labels |
|
kubernetes.namespace_name |
principal.resource.attribute.labels |
|
kubernetes.pod_ip |
principal.ip, principal.asset.ip |
|
kubernetes.pod_name |
principal.resource.attribute.labels |
|
last_state_change_at |
additional.fields |
|
last_state_change_reason |
additional.fields |
|
lat |
principal.location.region_coordinates.latitude |
|
ldap.debug_logging_enabled |
additional.fields |
|
level |
security_result.severity |
|
lfs_auth_scope |
additional.fields |
|
lfs_deploy_key_header |
additional.fields |
|
lfs_verify_reason |
additional.fields |
|
linear_history_requirement_enforcement_level |
additional.fields |
|
lock_allows_fetch_and_merge |
additional.fields |
|
lock_branch_enforcement_level |
additional.fields |
|
log_level |
security_result.severity |
|
log_source |
additional.fields |
|
log_source_file |
target.file.full_path |
|
logData.Count |
additional.fields |
|
logData.Metrics.* |
additional.fields |
O asterisco (*) indica que isto inclui todos os subcampos. |
logType |
additional.fields |
|
lon |
principal.location.region_coordinates.longitude |
|
loop |
additional.fields |
|
matched_policies |
security_result.detection_fields |
|
member |
target.user.attribute.labels |
|
merge_queue_enforcement_level |
additional.fields |
|
method |
additional.fields |
|
multi_repo |
security_result.detection_fields |
|
mysql_component |
additional.fields |
|
mysql_warning_code |
additional.fields |
|
name |
target.resource.attribute.labels |
|
non_integer_id |
additional.fields |
|
ns |
additional.fields |
|
number |
additional.fields |
|
oauth_application |
principal.application |
|
oauth_application_id |
principal.resource.attribute.labels |
|
oauth_party |
additional.fields |
|
offset |
additional.fields |
|
old_permissions |
additional.fields |
|
old_repo_permissions |
additional.fields |
|
org |
target.administrative_domain |
|
org_id |
additional.fields.value.string_value |
|
organization.url |
additional.fields |
|
original_user_agent |
additional.fields |
|
overridden_codes |
additional.fields |
|
owner |
principal.user.user_display_name |
|
owner_id |
principal.user.userid |
|
package |
additional.fields |
|
package_name |
target.application |
|
parent |
additional.fields |
|
parent_installation_id |
additional.fields |
|
partition |
additional.fields |
|
path_info |
additional.fields |
Este é o mapeamento quando o caminho já está a ser mapeado para target.file.full_path. |
path_info |
target.file.full_path |
Este é o mapeamento quando o caminho ainda não está a ser mapeado para target.file.full_path. |
pgroup |
additional.fields |
|
pk_ms |
additional.fields |
|
prin_ip |
principal.ip, principal.asset.ip |
|
prin_port |
principal.port |
|
prin_usr |
principal.user.userid |
|
pro_pid |
target.process.pid |
|
probe_fail |
additional.fields |
|
probe_ok |
additional.fields |
|
programmatic_access_type |
additional.fields.value.string_value |
|
pubkey_creator_id |
additional.fields |
|
pubkey_creator_login |
additional.fields |
|
pubkey_fingerprint |
additional.fields |
|
pubkey_id |
additional.fields |
|
pubkey_verifier_id |
additional.fields |
|
pubkey_verifier_login |
additional.fields |
|
public_repo |
additional.fields.value.string_value |
|
public_repo |
target.location.name |
|
publicly_leaked |
security_result.detection_fields |
|
pull_request.* |
additional.fields |
O asterisco (*) indica que isto inclui todos os subcampos. |
pull_request._links.comments.href |
additional.fields |
|
pull_request._links.commits.href |
additional.fields |
|
pull_request._links.html.href |
additional.fields |
|
pull_request._links.issue.href |
additional.fields |
|
pull_request._links.review_comment.href |
additional.fields |
|
pull_request._links.review_comments.href |
additional.fields |
|
pull_request._links.self.href |
additional.fields |
|
pull_request._links.statuses.href |
additional.fields |
|
pull_request.base.* |
additional.fields |
O asterisco (*) indica que isto inclui todos os subcampos. |
pull_request.base.repo.* |
additional.fields |
O asterisco (*) indica que isto inclui todos os subcampos. |
pull_request.base.repo.owner.* |
additional.fields |
O asterisco (*) indica que isto inclui todos os subcampos. |
pull_request.head.* |
additional.fields |
O asterisco (*) indica que isto inclui todos os subcampos. |
pull_request.head.owner.* |
additional.fields |
O asterisco (*) indica que isto inclui todos os subcampos. |
pull_request.head.repo.* |
additional.fields |
O asterisco (*) indica que isto inclui todos os subcampos. |
pull_request.head.user.* |
additional.fields |
O asterisco (*) indica que isto inclui todos os subcampos. |
pull_request.requested_reviewers.* |
additional.fields |
O asterisco (*) indica que isto inclui todos os subcampos. |
pull_request.requested_teams.* |
additional.fields |
O asterisco (*) indica que isto inclui todos os subcampos. |
pull_request.user. (e todos os respetivos subcampos, exceto login) |
principal.user.attribute.labels |
|
pull_request.user.login |
principal.user.user_display_name |
|
pull_request_id |
target.resource.attribute.labels |
|
pull_request_title |
target.resource.attribute.labels |
|
query_string |
additional.fields.value.string_value |
|
queue_duration |
additional.fields |
|
quotas_enabled |
additional.fields |
|
rate_limit |
additional.fields |
|
rate_limit_family |
additional.fields |
|
rate_limit_key |
additional.fields |
|
rate_limit_remaining |
additional.fields.value.string_value |
|
rate_limit_reset |
additional.fields |
|
rate_limit_used |
additional.fields |
|
raw.at |
additional.fields |
|
raw.hashed_token |
network.session_id |
|
raw.token_type |
additional.fields |
|
raw.url |
target.url |
|
raw.user_agent |
network.http.user_agent, network.http.parsed_user_agent |
|
raw_login |
additional.fields |
|
read_only |
additional.fields |
|
readonly |
additional.fields |
|
reasons |
additional.fields |
|
ref |
target.resource.attribute.labels |
|
replicas |
additional.fields |
|
repo |
target.resource.name |
|
repo_id |
additional.fields.value.string_value |
|
repo_owner_login |
target.resource.attribute.labels |
|
repo_owner_type |
target.resource.attribute.labels |
|
repo_public |
additional.fields |
|
repository |
target.resource.attribute.labels |
|
repository.archive_url |
target.resource.attribute.labels |
|
repository.assignees_url |
target.resource.attribute.labels |
|
repository.blobs_url |
target.resource.attribute.labels |
|
repository.branches_url |
target.resource.attribute.labels |
|
repository.clone_url |
target.resource.attribute.labels |
|
repository.collaborators_url |
target.resource.attribute.labels |
|
repository.comments_url |
target.resource.attribute.labels |
|
repository.commits_url |
target.resource.attribute.labels |
|
repository.compare_url |
target.resource.attribute.labels |
|
repository.contents_url |
target.resource.attribute.labels |
|
repository.contributors_url |
target.resource.attribute.labels |
|
repository.created_at |
target.resource.attribute.labels |
|
repository.custom_properties. (e todos os respetivos subcampos) |
target.resource.attribute.labels |
|
repository.deployments_url |
target.resource.attribute.labels |
|
repository.downloads_url |
target.resource.attribute.labels |
|
repository.events_url |
target.resource.attribute.labels |
|
repository.fork |
target.resource.attribute.labels |
|
repository.forks_url |
target.resource.attribute.labels |
|
repository.full_name |
target.resource.attribute.labels |
|
repository.git_commits_url |
target.resource.attribute.labels |
|
repository.git_refs_url |
target.resource.attribute.labels |
|
repository.git_tags_url |
target.resource.attribute.labels |
|
repository.git_url |
target.resource.attribute.labels |
|
repository.homepage |
target.resource.attributes.labels |
|
repository.hooks_url |
target.resource.attribute.labels |
|
repository.html_url |
target.resource.attribute.labels |
|
repository.id |
target.resource.attribute.labels |
|
repository.issue_comment_url |
target.resource.attribute.labels |
|
repository.issue_events_url |
target.resource.attribute.labels |
|
repository.issues_url |
target.resource.attribute.labels |
|
repository.keys_url |
target.resource.attribute.labels |
|
repository.labels_url |
target.resource.attribute.labels |
|
repository.languages_url |
target.resource.attribute.labels |
|
repository.license |
target.resource.attributes.labels |
|
repository.merges_url |
target.resource.attribute.labels |
|
repository.milestones_url |
target.resource.attribute.labels |
|
repository.mirror_url |
target.resource.attributes.labels |
|
repository.name |
target.resource.attribute.labels |
|
repository.node_id |
target.resource.attribute.labels |
|
repository.notifications_url |
target.resource.attribute.labels |
|
repository.open_issues_count |
target.resource.attribute.labels |
|
repository.owner.avatar_url |
target.resource.attribute.labels |
|
repository.owner.events_url |
target.resource.attribute.labels |
|
repository.owner.followers_url |
target.resource.attribute.labels |
|
repository.owner.following_url |
target.resource.attribute.labels |
|
repository.owner.gists_url |
target.resource.attribute.labels |
|
repository.owner.gravatar_id |
target.resource.attribute.labels |
|
repository.owner.html_url |
target.resource.attribute.labels |
|
repository.owner.id |
target.resource.attribute.labels |
|
repository.owner.node_id |
target.resource.attribute.labels |
|
repository.owner.organizations_url |
target.resource.attribute.labels |
|
repository.owner.received_events_url |
target.resource.attribute.labels |
|
repository.owner.repos_url |
target.resource.attribute.labels |
|
repository.owner.site_admin |
target.resource.attribute.labels |
|
repository.owner.starred_url |
target.resource.attribute.labels |
|
repository.owner.subscriptions_url |
target.resource.attribute.labels |
|
repository.owner.type |
target.resource.attribute.labels |
|
repository.owner.url |
target.resource.attribute.labels |
|
repository.owner.user_view_type |
target.resource.attribute.labels |
|
repository.private |
target.resource.attribute.labels |
|
repository.pulls_url |
target.resource.attribute.labels |
|
repository.pushed_at |
target.resource.attribute.labels |
|
repository.releases_url |
target.resource.attribute.labels |
|
repository.size |
target.resource.attribute.labels |
|
repository.ssh_url |
target.resource.attribute.labels |
|
repository.stargazers_url |
target.resource.attribute.labels |
|
repository.statuses_url |
target.resource.attribute.labels |
|
repository.subscribers_url |
target.resource.attribute.labels |
|
repository.subscription_url |
target.resource.attribute.labels |
|
repository.svn_url |
target.resource.attribute.labels |
|
repository.tags_url |
target.resource.attribute.labels |
|
repository.teams_url |
target.resource.attribute.labels |
|
repository.topics |
target.resource.attributes.labels |
|
repository.trees_url |
target.resource.attribute.labels |
|
repository.updated_at |
target.resource.attribute.labels |
|
repository.url |
target.resource.attribute.labels |
|
repository.visibility |
target.resource.attribute.labels |
|
repository_public |
target.resource.attribute.labels |
|
req_content_type |
target.file.mime_type |
|
request_access_security_header |
security_result.detection_fields |
|
request_auth |
additional.fields |
|
request_body |
additional.fields.value.string_value |
|
request_duration |
additional.fields |
|
request_host |
principal.ip, principal.asset.ip |
Quando um endereço IP está presente, o mapeamento é para principal.ip (mantendo o mapeamento existente de principal.hostname). |
request_method |
network.http.method |
O valor é convertido em maiúsculas. |
requested_reviewers.* |
additional.fields |
O asterisco (*) indica que isto inclui todos os subcampos. |
require_code_owner_review |
additional.fields |
|
require_last_push_approval |
additional.fields |
|
required_approving_review_count |
additional.fields |
|
required_deployments_enforcement_level |
additional.fields |
|
required_review_thread_resolution_enforcement_level |
additional.fields |
|
rerun_type |
additional.fields |
|
res_type |
target.resource.resource_subtype |
|
response_time |
additional.fields |
|
review_id |
target.resource.attributes.labels |
|
route |
additional.fields.value.string_value |
|
rpc.jsonrpc.error_code |
network.http.response_code |
|
rpc.jsonrpc.error_message |
security_result.summary |
|
rule_suite_id |
security_result.rule_id |
|
run_attempt |
additional.fields |
|
run_number |
additional.fields |
|
runner_labels |
target.resource.attribute.labels |
|
runner_owner_type |
target.resource.attribute.labels |
|
runner_tenant_id |
target.resource.attribute.labels |
|
s3_tag |
additional.fields |
|
secret_type |
security_result.detection_fields |
|
secret_types |
security_result.detection_fields |
|
secrets_passed |
security_result.detection_fields |
|
sender.id |
src.user.product_object_id |
|
sender.login |
src.user.user_display_name |
|
sender.node_id |
src.asset_id |
|
sender.type |
src.user.title |
|
sender.url |
src.url |
|
service |
target.resource.name |
|
service.version |
additional.fields |
|
serviceName |
target.resource.name |
|
severity (se for elevado) |
security_result.severity |
|
SeverityText |
security_result.severity |
|
shallow |
additional.fields |
|
sign_in_verification_method |
security_result.detection_fields |
|
signature_requirement_enforcement_level |
additional.fields |
|
sigtype |
additional.fields |
|
source |
src.resource.name |
|
spec |
additional.fields |
|
sr |
additional.fields |
|
ss |
additional.fields |
|
started_at |
vulns.vulnerabilities.scan_start_time |
|
stateless |
additional.fields |
|
status_code |
network.http.response_code |
|
strict_required_status_checks_policy |
additional.fields |
|
subject.business.id |
target.resource.attribute.labels |
|
subject.owner.id |
additional.fields |
|
subject.owning_organization.id |
principal.group.product_object_id |
|
subject.repository.id |
target.resource.product_object_id |
|
subject.repository.internal |
target.resource.attribute.labels |
|
subject.repository.owner.id |
additional.fields |
|
subject.repository.public |
target.resource.attribute.labels |
|
subject.repository.writable |
target.resource.attribute.labels |
|
subject.type |
target.resource.attribute.labels |
|
synthetic_status |
additional.fields |
|
tar_application |
target.application |
|
telemetry.sdk.name |
additional.fields |
|
tenant_id |
target.resource.attribute.labels |
|
tid |
additional.fields |
|
time |
metadata.event_timestamp |
|
time_duration_ms |
additional.fields |
|
time_zone |
additional.fields |
|
timestamp |
metadata.event_timestamp |
|
tls_version |
network.tls.version |
|
token_id |
additional.fields.value.string_value |
|
token_scopes |
additional.fields.value.string_value |
|
topic |
additional.fields |
|
total |
additional.fields |
|
transport_protocol |
additional.fields |
|
transport_protocol_name |
network.application_protocol |
O valor é convertido em maiúsculas. |
ts |
metadata.event_timestamp |
Quando process_type é github_production. |
TTY |
additional.fields |
|
twirp_method |
additional.fields |
|
twirp_package |
additional.fields |
|
twirp_service |
additional.fields |
|
twirp_status |
network.http.response_code |
|
two_factor_type |
security_result.detection_fields |
|
type |
additional.fields |
|
unavailable |
additional.fields |
|
updated_at |
metadata.collected_timestamp |
|
url_path |
target.url |
|
usage_metrics |
additional.fields |
|
user |
target.user.userid |
|
user.id |
target.user.attr.labels |
Quando actor.id está presente. |
user.id |
target.user.userid |
Quando actor.id não está presente. |
user_agent |
network.http.parsed_user_agent |
O valor é analisado. |
user_agent |
network.http.user_agent |
|
user_id |
target.user.userid |
|
user_operator_mode |
additional.fields |
|
user_programmatic_access_id |
additional.fields |
|
user_renaming_enabled |
additional.fields |
|
user_spammy |
additional.fields |
|
version |
metadata.product_version |
Esta associação inclui registos JSON. |
visibility |
additional.fields |
|
vk_ms |
additional.fields |
|
vulnerability_id |
additional.fields |
|
vulnerable_version_range_id |
additional.fields |
|
workflow |
target.resource.attributes.labels |
|
workflow.name |
target.resource.attribute.labels |
|
workflow_id |
target.resource.attribute.labels |
|
workflow_job.head_branch |
security_result.detection_fields |
|
workflow_job.name |
target.resource.attributes.labels |
|
workflow_job.workflow_name |
security_result.detection_fields |
|
workflow_run.actor. (e todos os respetivos subcampos, exceto o campo login, incluído em todos os subcampos) |
principal.user.attribute.labels |
|
workflow_run.actor.login |
principal.user.userid |
|
workflow_run.artifacts_url |
target.resource.attributes.labels |
|
workflow_run.cancel_url |
target.resource.attributes.labels |
|
workflow_run.check_suite_id |
additional.fields |
|
workflow_run.check_suite_node_id |
additional.fields |
|
workflow_run.check_suite_url |
target.resource.attributes.labels |
|
workflow_run.conclusion |
target.resource.attribute.labels |
|
workflow_run.created_at |
metadata.event_timestamp |
|
workflow_run.display_title |
target.resource.attribute.labels |
|
workflow_run.event |
additional.fields.value.string_value |
|
workflow_run.event |
target.resource.attribute.labels |
|
workflow_run.head_branch |
target.resource.attribute.labels |
|
workflow_run.head_commit |
target.resource.attributes.labels |
|
workflow_run.head_repository |
additional.fields |
|
workflow_run.head_sha |
target.file.sha256 |
|
workflow_run.html_url |
target.resource.attribute.labels |
|
workflow_run.id |
target.resource.attribute.labels.value |
|
workflow_run.jobs_url |
target.resource.attributes.labels |
|
workflow_run.logs_url |
target.resource.attributes.labels |
|
workflow_run.name |
target.resource.name |
|
workflow_run.node_id |
target.resource.product_object_id |
|
workflow_run.path |
target.resource.attribute.labels |
|
workflow_run.previous_attempt_url |
target.resource.attributes.labels |
|
workflow_run.pull_requests |
about.resource.attribute.labels |
|
workflow_run.repository |
additional.fields |
|
workflow_run.rerun_url |
target.resource.attributes.labels |
|
workflow_run.run_attempt |
target.resource.attribute.labels |
|
workflow_run.run_number |
target.resource.attribute.labels |
|
workflow_run.run_started_at |
target.resource.attribute.labels |
|
workflow_run.status |
security_result.description |
|
workflow_run.triggering_actor |
additional.fields |
|
workflow_run.updated_at |
metadata.collected_timestamp |
|
workflow_run.url |
target.url |
|
workflow_run.workflow_id |
security_result.about.labels.value |
|
workflow_run.workflow_id |
target.resource.attribute.labels |
|
workflow_run.workflow_url |
target.resource.attributes.labels |
Referência de deltas de lançamentos
A 8 de janeiro de 2026, o Google SecOps lançou uma nova versão do analisador GitHub, que inclui alterações significativas.
Delta do mapeamento de campos de registo
A tabela seguinte indica a diferença de mapeamento para os campos de registo do GitHub expostos antes de 8 de janeiro de 2026 e posteriormente (indicados nas colunas Mapeamento antigo e Mapeamento atual, respetivamente):
| Campo de registo | Mapeamento antigo | Mapeamento atual |
|---|---|---|
action (para registos JSON) |
metadata.product_event_type, security_result.summary,security_result.detection_fields |
metadata.product_event_type |
action (para registos syslog) |
additional.fields, security_result.summary |
security_result.summary |
business |
additional.fields, target.user.company_name |
additional.fields |
business_id |
target.resource.attribute.labels |
additional.fields |
data.email |
target.email |
target.user.email_addresses |
data.event |
security_result.about.labels |
target.resource.attribute.labels |
data.head_branch |
security_result.about.labels |
target.resource.attribute.labels |
data.hook_id |
target.resource.attribute.labels |
target.resource.product_object_id |
data.team |
target.user.group_identifiers |
target.group.group_display_name |
data.trigger_id |
security_result.about.labels |
target.resource.attribute.labels |
data.workflow_id |
security_result.about.labels |
target.resource.attribute.labels |
data.workflow_run_id |
security_result.about.labels |
target.resource.attribute.labels |
hashed_token |
additional.fields |
network.session_id |
hook_id (para registos JSON) |
additional.fields |
target.resource.attribute.labels |
name |
additional.fields |
target.resource.attribute.labels |
oauth_application_id |
additional.fields |
principal.resource.attribute.labels |
pull_request_id |
additional.fields |
target.resource.attribute.labels |
pull_request_title |
additional.fields |
target.resource.attribute.labels |
repository.archive_url |
additional.fields |
target.resource.attribute.labels |
repository.assignees_url |
additional.fields |
target.resource.attribute.labels |
repository.blobs_url |
additional.fields |
target.resource.attribute.labels |
repository.branches_url |
additional.fields |
target.resource.attribute.labels |
repository.clone_url |
additional.fields |
target.resource.attribute.labels |
repository.collaborators_url |
additional.fields |
target.resource.attribute.labels |
repository.comments_url |
additional.fields |
target.resource.attribute.labels |
repository.commits_url |
additional.fields |
target.resource.attribute.labels |
repository.compare_url |
additional.fields |
target.resource.attribute.labels |
repository.contents_url |
additional.fields |
target.resource.attribute.labels |
repository.contributors_url |
additional.fields |
target.resource.attribute.labels |
repository.created_at |
additional.fields |
target.resource.attribute.labels |
repository.deployments_url |
additional.fields |
target.resource.attribute.labels |
repository.downloads_url |
additional.fields |
target.resource.attribute.labels |
repository.events_url |
additional.fields |
target.resource.attribute.labels |
repository.fork |
additional.fields |
target.resource.attribute.labels |
repository.forks_url |
additional.fields |
target.resource.attribute.labels |
repository.full_name |
additional.fields |
target.resource.attribute.labels |
repository.git_commits_url |
additional.fields |
target.resource.attribute.labels |
repository.git_refs_url |
additional.fields |
target.resource.attribute.labels |
repository.git_tags_url |
additional.fields |
target.resource.attribute.labels |
repository.git_url |
additional.fields |
target.resource.attribute.labels |
repository.hooks_url |
additional.fields |
target.resource.attribute.labels |
repository.html_url |
additional.fields |
target.resource.attribute.labels |
repository.id |
additional |
target.resource.attribute.labels |
repository.issue_comment_url |
additional.fields |
target.resource.attribute.labels |
repository.issue_events_url |
additional.fields |
target.resource.attribute.labels |
repository.issues_url |
additional.fields |
target.resource.attribute.labels |
repository.keys_url |
additional.fields |
target.resource.attribute.labels |
repository.labels_url |
additional.fields |
target.resource.attribute.labels |
repository.languages_url |
additional.fields |
target.resource.attribute.labels |
repository.merges_url |
additional.fields |
target.resource.attribute.labels |
repository.milestones_url |
additional.fields |
target.resource.attribute.labels |
repository.name |
additional.fields |
target.resource.attribute.labels |
repository.node_id |
additional.fields |
target.resource.attribute.labels |
repository.notifications_url |
additional.fields |
target.resource.attribute.labels |
repository.owner.avatar_url |
additional.fields |
target.resource.attribute.labels |
repository.owner.events_url |
additional.fields |
target.resource.attribute.labels |
repository.owner.followers_url |
additional.fields |
target.resource.attribute.labels |
repository.owner.following_url |
additional.fields |
target.resource.attribute.labels |
repository.owner.gists_url |
additional.fields |
target.resource.attribute.labels |
repository.owner.gravatar_id |
additional.fields |
target.resource.attribute.labels |
repository.owner.html_url |
additional.fields |
target.resource.attribute.labels |
repository.owner.id |
additional.fields |
target.resource.attribute.labels |
repository.owner.node_id |
additional.fields |
target.resource.attribute.labels |
repository.owner.organizations_url |
additional.fields |
target.resource.attribute.labels |
repository.owner.received_events_url |
additional.fields |
target.resource.attribute.labels |
repository.owner.repos_url |
additional.fields |
target.resource.attribute.labels |
repository.owner.site_admin |
additional.fields |
target.resource.attribute.labels |
repository.owner.starred_url |
additional.fields |
target.resource.attribute.labels |
repository.owner.subscriptions_url |
additional.fields |
target.resource.attribute.labels |
repository.owner.type |
additional.fields |
target.resource.attribute.labels |
repository.owner.url |
additional.fields |
target.resource.attribute.labels |
repository.owner.user_view_type |
additional.fields |
target.resource.attribute.labels |
repository.private |
additional.fields |
target.resource.attribute.labels |
repository.pulls_url |
additional.fields |
target.resource.attribute.labels |
repository.pushed_at |
additional.fields |
target.resource.attribute.labels |
repository.releases_url |
additional.fields |
target.resource.attribute.labels |
repository.size |
additional.fields |
target.resource.attribute.labels |
repository.ssh_url |
additional.fields |
target.resource.attribute.labels |
repository.stargazers_url |
additional.fields |
target.resource.attribute.labels |
repository.statuses_url |
additional.fields |
target.resource.attribute.labels |
repository.subscribers_url |
additional.fields |
target.resource.attribute.labels |
repository.subscription_url |
additional.fields |
target.resource.attribute.labels |
repository.svn_url |
additional.fields |
target.resource.attribute.labels |
repository.tags_url |
additional.fields |
target.resource.attribute.labels |
repository.teams_url |
additional.fields |
target.resource.attribute.labels |
repository.trees_url |
additional.fields |
target.resource.attribute.labels |
repository.updated_at |
additional.fields |
target.resource.attribute.labels |
repository.url |
additional.fields |
target.resource.attribute.labels |
repository.visibility |
additional.fields |
target.resource.attribute.labels |
repository_public |
additional.fields |
target.resource.attribute.labels |
res_type |
target.resource.type |
target.resource.resource_subtype |
sender.id |
src.user.product_object_id, additional.fields |
src.user.product_object_id |
sender.login |
additional.fields, src.user.user_display_name |
src.user.user_display_name |
sender.node_id |
src.asset_id, additional.fields |
src.asset_id |
sender.type |
src.user.title, additional.fields |
src.user.title |
sender.url |
src.url, additional.fields |
src.url |
workflow.name |
security_result.about.labels |
target.resource.attribute.labels |
workflow_job.head_branch |
security_result.about.labels |
security_result.detection_fields |
workflow_job.workflow_name |
security_result.about.labels |
security_result.detection_fields |
workflow_run.event |
additional.fields |
target.resource.attribute.labels |
workflow_run.head_branch |
security_result.about.labels |
target.resource.attribute.labels |
workflow_run.workflow_id |
security_result.about.labels |
target.resource.attribute.labels |
Diferença das condições do tipo de evento
As condições que determinam os tipos de eventos do Google SecOps foram alteradas na versão de 8 de janeiro de 2026.
A tabela seguinte apresenta os tipos de eventos e as condições atuais (ou seja, as condições eram diferentes antes do lançamento de 8 de janeiro de 2026):
| event_type | Condições |
|---|---|
NETWORK_CONNECTION |
[has_target] == "true" && [has_principal] == "true" |
STATUS_UPDATE |
[has_principal] == "true" |
USER_RESOURCE_DELETION |
[has_target_resource] == "true" && [has_principal_user] == "true" && [action] in ["hook.destroy" ,"protected_branch.destroy" ,"public_key.delete"] |
USER_RESOURCE_UPDATE_CONTENT |
[has_target_resource] == "true" && [has_principal_userid] == "true" && [action] in [ "pull_request.merge" , "hook.events_changed"] |
USER_RESOURCE_UPDATE_PERMISSIONS |
[has_target_resource] == "true" && [has_principal_userid] == "true" && [action] in ["repo.update_actions_secret","protected_branch.update_pull_request_reviews_enforcement_level", "org.update_member" ,"protected_branch.update_admin_enforced" ,"protected_branch.update_required_status_checks_enforcement_level","org.integration_manager_removed" ,"repo.update_member", "repo.add_member"] |
Delta de mapeamento de teclas
A tabela seguinte indica a diferença de mapeamento para chaves em campos de registo não processado para chaves em campos de UDM expostos antes de 8 de janeiro de 2026 e posteriormente (indicados nas colunas Chave antiga e Chave atual, respetivamente):
| Chave no registo não processado | Chave antiga | Chave atual |
|---|---|---|
alert.secret_type_display_name |
secret_type_display_name |
alert_secret_type_display_name |
enterprise.name |
Enterprise Name |
enterprise_name |
hook_id |
Hook Id |
Hook_Id |
invitation.failed_at |
failed_at |
invitation_failed_at |
invitation.failed_reason |
failed_reason |
invitation_failed_reason |
invitation.invitation_source |
invitation_source |
invitation_invitation_source |
raw.failure_reason |
failure_reason |
raw_failure_reason |
raw.failure_type |
failure_type |
raw_failure_type |
raw.from |
from |
raw_from |
workflow_run.event |
event |
workflow_run_event |
workflow_run.head_branch |
Head Branch |
Head_Branch |
workflow_run.id |
workflow_run_id |
workflow_Run_id |
workflow_run.workflow_id |
Workflow Id |
Workflow_Id |
Precisa de mais ajuda? Receba respostas de membros da comunidade e profissionais da Google SecOps.