Analyze and Correlate GitHub Audit Logs and Access Paths

Report an issue with this page

This guide walks you through configuring Identity Security to import GitHub Audit Logs, providing enhanced visibility and alerts for suspicious activities.

Teleport Identity Activity Center is a centralized data platform that enhances visibility, allows to search and analyze activity from both human and non-human identities across multiple data sources.

It provides a rich visualization layer that maps access policies across services such as AWS, GitHub, Okta, and Teleport with the real-time activity from those identities.

Built to assist security and operations teams, Identity Activity Center combines activities from the same identity across different platforms improving the correlation of identity-based events across platforms and expedites investigations. Through an intelligent alerting engine that detects irregularities in audit logs, emphasizes odd behavior, and describes the access levels each identity has across corporate services, it offers contextual insights during incident response.

Identity Activity Center is a feature of Teleport Identity Security product that is only available to Teleport Enterprise customers.

How it works

Identity Activity Center retrieves GitHub Audit Logs through a polling mechanism that executes every minute, standardizing, analyzing, and storing them for long-term retention.

Prerequisites

• A running Teleport Enterprise cluster v18.0.0 or later.
• Identity Security enabled for your account.
• For self-hosted clusters:
  • Ensure that an up-to-date license.pem is used in the Auth Service configuration.
  • A running Access Graph node v1.28.0 or later with Identity Activity Center enabled. Check the Identity Security page for details on how to set up Access Graph and enable Identity Activity Center.
• GitHub admin access to an organization.

Step 1/2. Create a GitHub application

Identity Activity Center accesses your GitHub organization through a GitHub application.

Throughout this guide, you will create a GitHub application, configure the required permissions, generate a Private Key, and finally install it into your organization.

First, navigate to your GitHub organization page and select Settings. On the left menu, expand Developer settings and select GitHub Apps. In the top-right corner, select New GitHub App.

Fill in the application name, deactivate Webhook, and select the requested permissions:

• Repository permissions
  • Metadata: Read-only
• Organization permissions
  • Administration: Read-only
  • Custom organization roles: Read-only
  • Custom repository roles: Read-only
  • Members: Read-only
  • Personal access token requests: Read-only
  • Personal access tokens: Read-only

Once selected, click the Create GitHub App button. Navigate to the newly created App settings and click the Generate Private Key button. Clicking this button will trigger a private key file download. Save the file for later. Also copy the Client ID displayed in the App's About section.

To restrict access to specific IPs, you can configure the IP allow list section to allow access only from the Teleport Auth Service’s IP addresses.

Finally, select Install App and install the application into the desired organization.

Step 2/2. Set up Audit Log and Access Path Sync

To initiate the setup wizard for configuring GitHub sync, access the Teleport UI, click the Identity Security sidebar button, and then click Integrations.

Click the Setup new integration button, and then select GitHub. You'll be prompted to create a new Identity Activity Center GitHub integration. During the setup process, you will be asked to provide:

• Organization name
• Private Key downloaded in the previous step
• Client ID copied in the previous step

Once you complete all the steps, the Investigations tab in Identity Security will begin displaying GitHub Audit Logs and Access Paths after a few minutes.