Github

Overview

Identity Intelligence can connect to Github Enterprise tenants and provide insights into user identities and activity on that platform.

This document will walk you through the process of setting up access from Identity Intelligence to Github Enterprise.

Requirements

The following requirements are necessary for the Github integration -

1. Github Enterprise subscription

2. A Github Enterprise admin account capable of creating Personal Access Tokens (classic)

3. SSO from your Identity Provider to each Github org is set to "Enforced" (mandatory) and not "Configured" (optional), otherwise Identity Intelligence cannot retrieve the emails for users in the "configured" org and they will not merge with their own record in the "enforced" org

Github API Permission Structure

Enterprise vs. Org

Identity Intelligence has chosen to connect to Github environments at the Enterprise level rather than per Organization. This allows for the use of one API token for an entire customer environment, instead of an API token being required for each Org.

Therefore, an Enterprise Admin account or a Enterprise service account is required.

Excluding Specific Github Orgs

You may want to collect identity data for only certain orgs under your Github Enterprise tenant. To do that, you will need to follow this approach:

1. Create an Identity Intelligence service account at the Enterprise level

2. Make it a member of the orgs where you want Identity Intelligence to ingest data

3. Do NOT make the account a member or give it access to orgs where you do not want Identity Intelligence to collect data

4. Create PAT as described below

5. Authorize SSO for the PAT to the desired orgs

Fine-grained vs Classic PAT

Identity Intelligence leverages the Audit Log API methods to obtain necessary information. At this time, this portion of the API is only available when using PAT (classic) tokens. (Github article)

These endpoints only support authentication using a personal access token (classic). For more information, see "Managing your personal access tokens."

Github Configuration Steps

1. Login to Github with an Enterprise admin account. If you navigate to github.com/settings/enterprises, it should look something like the following:

   
2. Enable displaying IP addresses in the Github Audit Log for your enterprise tenant as described in this article

3. Follow the steps for creating a classic PAT as outlined in this Github article - https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens#creating-a-personal-access-token-classic

4. In step 8 of Github's PAT Creation docs, grant the following scopes to the token: read:audit_log read:enterprise read:org repo:invite user:email

5. Click Generate Token and copy it to a secure location for use in upcoming set up steps

6. Important - Ensure that the PAT has SSO authorization to all of the Github orgs under your Enterprise tenant, if SSO is in use.

   

   1. If at any point, you update the scopes associated with the token, be sure to reauthorize the token for the SSO enabled orgs within the enterprise tenant.

   
7. Note the slug for your Enterprise Github tenant. This can be found under your entprise profile tab.

   

Identity Intelligence Configuration Steps

Sign in to your Identity Intelligence tenant and perform the following steps:

1. From the Integrations page, click Add Integration and select Github

2. Enter a display name for the integration, such as Github customername.

3. Enter the value of your Github Enterprise slug, obtained in Step 7 above

4. Enter the Github PAT value and click Connect to test the configuration connection

   
5. Once the configuration connection is successful, go back to the main Integrations page, click the 3-dot menu on the Github integration and select Collect Now. Collection may take some time, depending on the size of the environment.

   
6. [Optional, but highly recommended] Follow the steps below to configure Event Streaming for Github, especially if you have a large Github environment, to ensure that API rate limiting issues are not encountered

Github Event Streaming

Github has the capability to streaming the audit log events via Webhooks. They currently have this feature in Public Preview. If you do not see the option in your Github Enterprise tenant, contact your Github representative.

Note: The Github base configuration steps listed above must already be completed before beginning these steps

1. Within Identity Intelligence, navigate to Integrations and select Edit Settings using the 3-dot menu button on right-hand side of the row that represents your existing Github integration

2. Select the Event Streaming tab

3. Slide the toggle to enable the Use Audit Log Streaming setting

4. Note the Domain, Path, and Port information that is populated as it will be needed later to complete the setup within Github

5. Create and enter a strong value for the Webhook Secret in the respective field. Write down the secret that was entered as it will be needed later to complete the setup within Githuhb

1. In a new tab, login to Github with the necessary admin role and navigate to Settings > Audit Log > Settings tab. Verify that the Enable API Request Events checkbox is selected as shown in the screenshot below. If not, check the box and select Save

   
2. On the Log Streaming tab, select HTTP Event Collector from the Configure stream dropdown list as shown in the screenshot

   
3. Enter the Domain, Path, Port, and Token (Webhook secret above) that were generated earlier in Identity Intelligence

4. Check off the Enable SSL verification button

   
5. In Identity Intelligence, navigate back to the Github integration Event Streaming tab and check off the box to confirm that you have configured Github streaming in that platform and then select Save

   
6. Navigate back to the Github Streaming Configuration page, select the Check Endpoint button. Once the check is successful, select Save

   

Updating the PAT

If the PAT is due to expire or needs to be rotated, follow these steps:

1. After creating the new PAT (classic) with the necessary scopes, login to your Identity Intelligence tenant

2. In the Identity Intelligence console, go to the Integrations page, click the 3-dot menu for the Github integration and select Edit Settings

3. Click Reset Credentials. Then enter the new PAT value and click Save.

   
4. Go back to the Integrations page, click the 3-dot menu for the Github Integration and select Test Connectivity to ensure a successful connection