Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • External Systems Configuration Guide

    Home FortiSIEM 7.2.1 External Systems Configuration Guide
    7.2.1
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.1.7
    7.1.6
    7.1.5
    7.1.4
    7.1.3
    7.1.2
    7.1.1
    7.1.0
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.7.9
    6.7.8
    6.7.7
    6.7.6
    6.7.5
    6.7.4
    6.7.3
    6.7.2
    6.7.1
    6.7.0
    6.6.5
    6.6.4
    6.6.3
    6.6.2
    6.6.1
    6.6.0
    6.5.3
    6.5.2
    6.5.1
    6.5.0
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.3.3
    6.3.2
    6.3.1
    6.3.0
    6.2.1
    6.2.0
    6.1.2
    6.1.1
    6.1.0
    5.4.0
    5.3.3
    5.3.2
    5.3.1
    5.3.0
    5.0.0

    GitHub

    GitHub

    Integration Points

    Protocol Information collected Used for
    GitHub API Logs from the GitHub Service Security and Compliance

    Event Types

    In ADMIN > Device Support > Event Types, search for "GitHub" to see the event types associated with this device.

    Rules

    In RESOURCES > Rules, search for "GitHub" in the main content panel Search... field to see the rules associated with this device.

    Reports

    In RESOURCES > Reports, search for "GitHub" in the main content panel Search... field to see the reports associated with this device.

    Configuration Through API

    Configuring GitHub Server

    Create an account to be used for FortiSIEM communication, followed by the creation of an access token (instructions for creating an access token follow).

    Create Access Token

    Take the following steps to create an Access Token.

    Reference: Instructions for creating a token come from GitHub Docs. See here for more information.

    1. In the upper right corner of any page, click your profile picture.

    2. Click Settings.

    3. In the left panel, click Developer settings, then click Personal access tokens.

    4. Click Generate new token.

    5. Click Generate new token (classic).

    6. In the Note field, enter a descriptive name for your token.

    7. To give your token an expiration, select Expiration, then choose a default option or click Custom to enter a date, or choose No Expiration.

    8. Select the scopes to grant this token. To use your token to access repositories from the command line, select repo. A token with no assigned scopes can only access public information. For more information, see Scopes for OAuth apps. At a minimum, you must select User scope for FortiSIEM.

    9. Click Generate token.

    10. (Optional) To copy the new token to your clipboard, click the copy icon.

    Configuring FortiSIEM

    Use the account in previous step to enable FortiSIEM access.

    1. Login to FortiSIEM.
    2. Go to ADMIN > Setup > Credentials.
    3. In Step 1: Enter Credentials, click New to create a GitHub credential.
    4. Enter these settings in the Access Method Definition dialog box:

      Settings

      Description

      NameEnter a name for the credential
      Device Type GitHub.com GitHub
      Access Protocol GitHub API
      Pull Interval The interval in which FortiSIEM will pull events. Default is 5 minutes.
      Password ConfigSee Password Configuration
      GitHub TokenProvide the GitHub token.
      Organization Choose the Organization if it is an MSP deployment and the same credential has to be used for multiple customers.
      Description Description of the device
    5. In Step 2: Enter IP Range to Credential Associations, click New.
      1. Set IP/Host Name to the IP address of the GitHub Server.
      2. Select the Credential created in steps 3 and 4.
      3. Click Save.
    6. Select the entry in step 3 above and click the Test drop-down list, and select Test Connectivity.
    7. After Test Connectivity succeeds, an entry will be created in ADMIN > Setup > Pull Events corresponding to this event pulling job. FortiSIEM will start to pull events from GitHub server using the API.

    To test for received GitHub events:

    1. Go to ADMIN > Setup > Pull Events.
    2. Select the GitHub entry and click Report.

    The system will take you to the ANALYTICS tab and run a query to display the events received from GitHub in the last 15 minutes. You can modify the time interval to get more events.

    Configuration Through Webhook

    Prerequisite

    Most applications using webhook push notifications do server TLS certificate validation, which means the target collector must be configured with a public CA signed TLS certificate.

    See How to Set Up a FortiSIEM Collector with a Public SSL/TLS Certificate for configuration information.

    FortiSIEM Setup

    To configure webhook integration, you will need to take the following general steps.

    Create Credential

    Take the following steps to configure a credential for FortiSIEM.

    1. Login to FortiSIEM as an administrator.

    2. Navigate to Admin > Setup > Credentials.

    3. Under Step 1: Enter Credentials, click New.

    4. In the Access Method Definition window, input the following:

      1. In the Name field, enter the name of the credential. This serves as the basis of the target endpoint created.

      2. From the Device Type drop-down list, select GitHub.com GitHub.

      3. From the Access Protocol drop-down list, select Webhook.

      4. In the Separator field, leave the default as "\n" to separate the payload. The "\n" is the newline linefeed and means that each line in the response is treated as a new log.

      5. In the Receiver FQDN field, enter the FQDN of the FortiSIEM node. This field expects the FQDN or IP address of the FortiSIEM collector that will be receiving the webhook traffic. This is used to help dynamically generate an endpoint configuration for you. This should ideally be the FQDN of the collector from the sending application's perspective. For example, if this is a SaaS application on the public internet, this will be a public FQDN, e.g. collector01.example.com.

      6. In the Reporting Host Name field, enter "GitHub.com". This field expects the source hostname of the sending application. It is used to uniquely identify the logs as it will be in the header of every log. You can use something like example.com if example.com was the vendor's domain.

      7. Endpoint is the dynamically generated webhook endpoint based on the receiver FQDN. This makes it easier to paste this URL as the target of your webhooks in the client application.

      8. From the Auth Type drop-down list, select HMAC. HMAC uses a shared secret to create a hash signature with each payload from the HTTP request and then compares the value of the header/parameter in the HTTP request. It is client application dependent on whether they pass the hash in a specific HTTP header value, or an HTTP url parameter. After selecting HMAC, take the following steps.

      9. From the Algorithm drop-down list, select SHA-256.

      10. In the Shared Secret field, enter the shared secret.

      11. From the Auth Part drop-down list, select Header.

      12. In the Header Name field, enter "X-Hub-Signature-256".

      13. Click Save and Deploy.

      14. Click Edit to return to the webhook configuration you just saved. From the Endpoint row, copy the URL. This URL will be needed to configure webhook in GitHub Setup.

    GitHub Setup

    Documentation Reference: https://docs.github.com/en/webhooks/using-webhooks/creating-webhooks

    First, ensure the Prerequisite is complete. Take the following steps to configure webhook for GitHub.

    1. On GitHub.com, navigate to your repository, click Settings and from the left sidebar, click Webhooks.

    2. Click Add webhook.

    3. Under Payload URL, enter/paste the URL of the webhook endpoint. You should have this information from your FortiSIEM configuration when you copied the URL from the Endpoint row.

      It will be in the following format:

      https://<FortiSIEM_Node_IP>/webhook/<FortiSIEM_Credential_NAME>

    4. From the Content type drop-down list, select application/json.

    5. Under Secret, enter a string to use as a secret. This secret token should be the same as the shared secret in your FortiSIEM configuration.

    6. (Optional) Clear the Enable SSL verification checkbox to disable SSL verification.

      If you would like to leave SSL verification enabled, you must ensure the target FortiSIEM collector, or target device terminating the TLS connection is using a public CA signed TLS/SSL certificate.

      Note: If Enable SSL verification is enabled, ensure the collector is setup with a valid TLS certificate. See the Prerequisite for more information.

    7. Under "Which events would you like to trigger this webhook?", select the webhook events that you want to receive. You should only subscribe to the webhook events that you need. If you choose Let me select individual events, select the events that you want to trigger the webhook.

    8. To make the webhook active immediately after adding the configuration, select Active.

    9. Click Add webhook.

    Checking for Events

    Events can be queried from the Analytics page, using github- as part of a Raw Event Log search. Make sure GitHub Setup is completed before proceeding with your check for events.

    From the FortiSIEM GUI, take the following steps.

    1. Navigate to Analytics >Search.

    2. Click Edit Filters and Time Range.....

    3. In Filter By, select the Event Attribute tab.

    4. Enter/select the following:
      Attribute = Raw Event Log, Operator = CONTAIN, Value = github-

    5. Click Apply & Run.

    Sample Event Type 

    [PH_DEV_MON_CUSTOM_JSON]:[reptVendor]=GitHub.com,[reptModel]=GitHub,[reptDevName]=GitHub.com,[reptDevIpAddr]=1.1.1.1,[keyword]=push,[json]={"ref":"refs/heads/main","before":"dbfa142e611116231117ec45255c79d53e53929e","after":"ee67c6b544707af0d94f41111c1cf2d748729fb8","repository":{"id":768823079,"node_id":"R_kgDOLdNPJw","name":"DH_TESTER","full_name":"Org1/DH_TESTER","private":true,"owner":{"name":"Org1","email":null,"login":"Org1","id":23552948,"node_id":"MDEyOk9xx2FuaXphdGlvbjIzNTUyOTQ4","avatar_url":"https://avatars.githubusercontent.com/u/23552948?v=4","gravatar_id":"","url":"https://api.github.com/users/Org1","html_url":"https://github.com/Org1","followers_url":"https://api.github.com/users/Org1/followers","following_url":"https://api.github.com/users/Org1/following{/other_user}","gists_url":"https://api.github.com/users/Org1/gists{/gist_id}","starred_url":"https://api.github.com/users/Org1/starred{/owner}{/repo}","subscriptions_url":"https://api.github.com/users/Org1/subscriptions","organizations_url":"https://api.github.com/users/Org1/orgs","repos_url":"https://api.github.com/users/Org1/repos","events_url":"https://api.github.com/users/Org1/events{/privacy}","received_events_url":"https://api.github.com/users/Org1/received_events","type":"Organization","site_admin":false},"html_url":"https://github.com/Org1/DH_TESTER","description":"DH_TEsTER","fork":false,"url":"https://github.com/Org1/DH_TESTER","forks_url":"https://api.github.com/repos/Org1/DH_TESTER/forks","keys_url":"https://api.github.com/repos/Org1/DH_TESTER/keys{/key_id}","collaborators_url":"https://api.github.com/repos/Org1/DH_TESTER/collaborators{/collaborator}","teams_url":"https://api.github.com/repos/Org1/DH_TESTER/teams","hooks_url":"https://api.github.com/repos/Org1/DH_TESTER/hooks","issue_events_url":"https://api.github.com/repos/Org1/DH_TESTER/issues/events{/number}","events_url":"https://api.github.com/repos/Org1/DH_TESTER/events","assignees_url":"https://api.github.com/repos/Org1/DH_TESTER/assignees{/user}","branches_url":"https://api.github.com/repos/Org1/DH_TESTER/branches{/branch}","tags_url":"https://api.github.com/repos/Org1/DH_TESTER/tags","blobs_url":"https://api.github.com/repos/Org1/DH_TESTER/git/blobs{/sha}","git_tags_url":"https://api.github.com/repos/Org1/DH_TESTER/git/tags{/sha}","git_refs_url":"https://api.github.com/repos/Org1/DH_TESTER/git/refs{/sha}","trees_url":"https://api.github.com/repos/Org1/DH_TESTER/git/trees{/sha}","statuses_url":"https://api.github.com/repos/Org1/DH_TESTER/statuses/{sha}","languages_url":"https://api.github.com/repos/Org1/DH_TESTER/languages","stargazers_url":"https://api.github.com/repos/Org1/DH_TESTER/stargazers","contributors_url":"https://api.github.com/repos/Org1/DH_TESTER/contributors","subscribers_url":"https://api.github.com/repos/Org1/DH_TESTER/subscribers","subscription_url":"https://api.github.com/repos/Org1/DH_TESTER/subscription","commits_url":"https://api.github.com/repos/Org1/DH_TESTER/commits{/sha}","git_commits_url":"https://api.github.com/repos/Org1/DH_TESTER/git/commits{/sha}","comments_url":"https://api.github.com/repos/Org1/DH_TESTER/comments{/number}","issue_comment_url":"https://api.github.com/repos/Org1/DH_TESTER/issues/comments{/number}","contents_url":"https://api.github.com/repos/Org1/DH_TESTER/contents/{+path}","compare_url":"https://api.github.com/repos/Org1/DH_TESTER/compare/{base}...{head}","merges_url":"https://api.github.com/repos/Org1/DH_TESTER/merges","archive_url":"https://api.github.com/repos/Org1/DH_TESTER/{archive_format}{/ref}","downloads_url":"https://api.github.com/repos/Org1/DH_TESTER/downloads","issues_url":"https://api.github.com/repos/Org1/DH_TESTER/issues{/number}","pulls_url":"https://api.github.com/repos/Org1/DH_TESTER/pulls{/number}","milestones_url":"https://api.github.com/repos/Org1/DH_TESTER/milestones{/number}","notifications_url":"https://api.github.com/repos/Org1/DH_TESTER/notifications{?since,all,participating}","labels_url":"https://api.github.com/repos/Org1/DH_TESTER/labels{/name}","releases_url":"https://api.github.com/repos/Org1/DH_TESTER/releases{/id}","deployments_url":"https://api.github.com/repos/Org1/DH_TESTER/deployments","created_at":1709841354,"updated_at":"2024-03-08T17:54:58Z","pushed_at":1709946519,"git_url":"git://github.com/Org1/DH_TESTER.git","ssh_url":"git@github.com:Org1/DH_TESTER.git","clone_url":"https://github.com/Org1/DH_TESTER.git","svn_url":"https://github.com/Org1/DH_TESTER","homepage":null,"size":18,"stargazers_count":0,"watchers_count":0,"language":"Python","has_issues":true,"has_projects":true,"has_downloads":true,"has_wiki":false,"has_pages":false,"has_discussions":false,"forks_count":0,"mirror_url":null,"archived":false,"disabled":false,"open_issues_count":1,"license":null,"allow_forking":false,"is_template":false,"web_commit_signoff_required":false,"topics":[],"visibility":"private","forks":0,"open_issues":1,"watchers":0,"default_branch":"main","stargazers":0,"master_branch":"main","organization":"Org1","custom_properties":{}},"pusher":{"name":"ExampleUser1","email":"User1@fortinet.com"},"organization":{"login":"Org1","id":23552948,"node_id":"MDEyOk9yZ2FuaXphdGlvbjIzNTUyOTQ4","url":"https://api.github.com/orgs/Org1","repos_url":"https://api.github.com/orgs/Org1/repos","events_url":"https://api.github.com/orgs/Org1/events","hooks_url":"https://api.github.com/orgs/Org1/hooks","issues_url":"https://api.github.com/orgs/Org1/issues","members_url":"https://api.github.com/orgs/Org1/members{/member}","public_members_url":"https://api.github.com/orgs/Org1/public_members{/member}","avatar_url":"https://avatars.githubusercontent.com/u/23552948?v=4","description":null},"enterprise":{"id":132685,"slug":"dh-mei-enterprise","name":"dh-mei-enterprise","node_id":"E_kgDOAAIGTQ","avatar_url":"https://avatars.githubusercontent.com/b/132685?v=4","description":null,"website_url":null,"html_url":"https://github.com/enterprises/dh-mei-enterprise","created_at":"2024-03-07T20:52:55Z","updated_at":"2024-03-07T20:52:57Z"},"sender":{"login":"ExampleUser1","id":23548610,"node_id":"MDQ6VXNlcjIzNTQ4NjEw","avatar_url":"https://avatars.githubusercontent.com/u/23548610?v=4","gravatar_id":"","url":"https://api.github.com/users/ExampleUser1","html_url":"https://github.com/ExampleUser1","followers_url":"https://api.github.com/users/ExampleUser1/followers","following_url":"https://api.github.com/users/ExampleUser1/following{/other_user}","gists_url":"https://api.github.com/users/ExampleUser1/gists{/gist_id}","starred_url":"https://api.github.com/users/ExampleUser1/starred{/owner}{/repo}","subscriptions_url":"https://api.github.com/users/ExampleUser1/subscriptions","organizations_url":"https://api.github.com/users/ExampleUser1/orgs","repos_url":"https://api.github.com/users/ExampleUser1/repos","events_url":"https://api.github.com/users/ExampleUser1/events{/privacy}","received_events_url":"https://api.github.com/users/ExampleUser1/received_events","type":"User","site_admin":false},"created":false,"deleted":false,"forced":false,"base_ref":null,"compare":"https://github.com/Org1/DH_TESTER/compare/dbfa142e6111...ee67c6b54470","commits":[{"id":"ee67c6b544707af0d22f4f901c1cf2d748729fb8","tree_id":"631ce064279a99204114fedab7c40678285e596","distinct":true,"message":"Update new_file_1","timestamp":"2024-03-08T17:08:39-08:00","url":"https://github.com/Org1/DH_TESTER/commit/ee67c6b544707af0d94f4f901c1cf2d748729fb8","author":{"name":"ExampleUser1","email":"User1@fortinet.com","username":"ExampleUser1"},"committer":{"name":"GitHub","email":"noreply@github.com","username":"web-flow"},"added":[],"removed":[],"modified":["new_file_1"]}],"head_commit":{"id":"ee67c6b544707af0d94f4f901c1cf2d748729fb8","tree_id":"631ce064279a989204774fedab7c40678285e596","distinct":true,"message":"Update new_file_1","timestamp":"2024-03-08T17:08:39-08:00","url":"https://github.com/Org1/DH_TESTER/commit/ee67c6b544707af0d94f4f901c1cf2d748729fb8","author":{"name":"ExampleUser1","email":"User1@fortinet.com","username":"ExampleUser1"},"committer":{"name":"GitHub","email":"noreply@github.com","username":"web-flow"},"added":[],"removed":[],"modified":["new_file_1"]}}
    Previous
    Next

    GitHub

    GitHub

    Integration Points

    Protocol Information collected Used for
    GitHub API Logs from the GitHub Service Security and Compliance

    Event Types

    In ADMIN > Device Support > Event Types, search for "GitHub" to see the event types associated with this device.

    Rules

    In RESOURCES > Rules, search for "GitHub" in the main content panel Search... field to see the rules associated with this device.

    Reports

    In RESOURCES > Reports, search for "GitHub" in the main content panel Search... field to see the reports associated with this device.

    Configuration Through API

    Configuring GitHub Server

    Create an account to be used for FortiSIEM communication, followed by the creation of an access token (instructions for creating an access token follow).

    Create Access Token

    Take the following steps to create an Access Token.

    Reference: Instructions for creating a token come from GitHub Docs. See here for more information.

    1. In the upper right corner of any page, click your profile picture.

    2. Click Settings.

    3. In the left panel, click Developer settings, then click Personal access tokens.

    4. Click Generate new token.

    5. Click Generate new token (classic).

    6. In the Note field, enter a descriptive name for your token.

    7. To give your token an expiration, select Expiration, then choose a default option or click Custom to enter a date, or choose No Expiration.

    8. Select the scopes to grant this token. To use your token to access repositories from the command line, select repo. A token with no assigned scopes can only access public information. For more information, see Scopes for OAuth apps. At a minimum, you must select User scope for FortiSIEM.

    9. Click Generate token.

    10. (Optional) To copy the new token to your clipboard, click the copy icon.

    Configuring FortiSIEM

    Use the account in previous step to enable FortiSIEM access.

    1. Login to FortiSIEM.
    2. Go to ADMIN > Setup > Credentials.
    3. In Step 1: Enter Credentials, click New to create a GitHub credential.
    4. Enter these settings in the Access Method Definition dialog box:

      Settings

      Description

      NameEnter a name for the credential
      Device Type GitHub.com GitHub
      Access Protocol GitHub API
      Pull Interval The interval in which FortiSIEM will pull events. Default is 5 minutes.
      Password ConfigSee Password Configuration
      GitHub TokenProvide the GitHub token.
      Organization Choose the Organization if it is an MSP deployment and the same credential has to be used for multiple customers.
      Description Description of the device
    5. In Step 2: Enter IP Range to Credential Associations, click New.
      1. Set IP/Host Name to the IP address of the GitHub Server.
      2. Select the Credential created in steps 3 and 4.
      3. Click Save.
    6. Select the entry in step 3 above and click the Test drop-down list, and select Test Connectivity.
    7. After Test Connectivity succeeds, an entry will be created in ADMIN > Setup > Pull Events corresponding to this event pulling job. FortiSIEM will start to pull events from GitHub server using the API.

    To test for received GitHub events:

    1. Go to ADMIN > Setup > Pull Events.
    2. Select the GitHub entry and click Report.

    The system will take you to the ANALYTICS tab and run a query to display the events received from GitHub in the last 15 minutes. You can modify the time interval to get more events.

    Configuration Through Webhook

    Prerequisite

    Most applications using webhook push notifications do server TLS certificate validation, which means the target collector must be configured with a public CA signed TLS certificate.

    See How to Set Up a FortiSIEM Collector with a Public SSL/TLS Certificate for configuration information.

    FortiSIEM Setup

    To configure webhook integration, you will need to take the following general steps.

    Create Credential

    Take the following steps to configure a credential for FortiSIEM.

    1. Login to FortiSIEM as an administrator.

    2. Navigate to Admin > Setup > Credentials.

    3. Under Step 1: Enter Credentials, click New.

    4. In the Access Method Definition window, input the following:

      1. In the Name field, enter the name of the credential. This serves as the basis of the target endpoint created.

      2. From the Device Type drop-down list, select GitHub.com GitHub.

      3. From the Access Protocol drop-down list, select Webhook.

      4. In the Separator field, leave the default as "\n" to separate the payload. The "\n" is the newline linefeed and means that each line in the response is treated as a new log.

      5. In the Receiver FQDN field, enter the FQDN of the FortiSIEM node. This field expects the FQDN or IP address of the FortiSIEM collector that will be receiving the webhook traffic. This is used to help dynamically generate an endpoint configuration for you. This should ideally be the FQDN of the collector from the sending application's perspective. For example, if this is a SaaS application on the public internet, this will be a public FQDN, e.g. collector01.example.com.

      6. In the Reporting Host Name field, enter "GitHub.com". This field expects the source hostname of the sending application. It is used to uniquely identify the logs as it will be in the header of every log. You can use something like example.com if example.com was the vendor's domain.

      7. Endpoint is the dynamically generated webhook endpoint based on the receiver FQDN. This makes it easier to paste this URL as the target of your webhooks in the client application.

      8. From the Auth Type drop-down list, select HMAC. HMAC uses a shared secret to create a hash signature with each payload from the HTTP request and then compares the value of the header/parameter in the HTTP request. It is client application dependent on whether they pass the hash in a specific HTTP header value, or an HTTP url parameter. After selecting HMAC, take the following steps.

      9. From the Algorithm drop-down list, select SHA-256.

      10. In the Shared Secret field, enter the shared secret.

      11. From the Auth Part drop-down list, select Header.

      12. In the Header Name field, enter "X-Hub-Signature-256".

      13. Click Save and Deploy.

      14. Click Edit to return to the webhook configuration you just saved. From the Endpoint row, copy the URL. This URL will be needed to configure webhook in GitHub Setup.

    GitHub Setup

    Documentation Reference: https://docs.github.com/en/webhooks/using-webhooks/creating-webhooks

    First, ensure the Prerequisite is complete. Take the following steps to configure webhook for GitHub.

    1. On GitHub.com, navigate to your repository, click Settings and from the left sidebar, click Webhooks.

    2. Click Add webhook.

    3. Under Payload URL, enter/paste the URL of the webhook endpoint. You should have this information from your FortiSIEM configuration when you copied the URL from the Endpoint row.

      It will be in the following format:

      https://<FortiSIEM_Node_IP>/webhook/<FortiSIEM_Credential_NAME>

    4. From the Content type drop-down list, select application/json.

    5. Under Secret, enter a string to use as a secret. This secret token should be the same as the shared secret in your FortiSIEM configuration.

    6. (Optional) Clear the Enable SSL verification checkbox to disable SSL verification.

      If you would like to leave SSL verification enabled, you must ensure the target FortiSIEM collector, or target device terminating the TLS connection is using a public CA signed TLS/SSL certificate.

      Note: If Enable SSL verification is enabled, ensure the collector is setup with a valid TLS certificate. See the Prerequisite for more information.

    7. Under "Which events would you like to trigger this webhook?", select the webhook events that you want to receive. You should only subscribe to the webhook events that you need. If you choose Let me select individual events, select the events that you want to trigger the webhook.

    8. To make the webhook active immediately after adding the configuration, select Active.

    9. Click Add webhook.

    Checking for Events

    Events can be queried from the Analytics page, using github- as part of a Raw Event Log search. Make sure GitHub Setup is completed before proceeding with your check for events.

    From the FortiSIEM GUI, take the following steps.

    1. Navigate to Analytics >Search.

    2. Click Edit Filters and Time Range.....

    3. In Filter By, select the Event Attribute tab.

    4. Enter/select the following:
      Attribute = Raw Event Log, Operator = CONTAIN, Value = github-

    5. Click Apply & Run.

    Sample Event Type 

    [PH_DEV_MON_CUSTOM_JSON]:[reptVendor]=GitHub.com,[reptModel]=GitHub,[reptDevName]=GitHub.com,[reptDevIpAddr]=1.1.1.1,[keyword]=push,[json]={"ref":"refs/heads/main","before":"dbfa142e611116231117ec45255c79d53e53929e","after":"ee67c6b544707af0d94f41111c1cf2d748729fb8","repository":{"id":768823079,"node_id":"R_kgDOLdNPJw","name":"DH_TESTER","full_name":"Org1/DH_TESTER","private":true,"owner":{"name":"Org1","email":null,"login":"Org1","id":23552948,"node_id":"MDEyOk9xx2FuaXphdGlvbjIzNTUyOTQ4","avatar_url":"https://avatars.githubusercontent.com/u/23552948?v=4","gravatar_id":"","url":"https://api.github.com/users/Org1","html_url":"https://github.com/Org1","followers_url":"https://api.github.com/users/Org1/followers","following_url":"https://api.github.com/users/Org1/following{/other_user}","gists_url":"https://api.github.com/users/Org1/gists{/gist_id}","starred_url":"https://api.github.com/users/Org1/starred{/owner}{/repo}","subscriptions_url":"https://api.github.com/users/Org1/subscriptions","organizations_url":"https://api.github.com/users/Org1/orgs","repos_url":"https://api.github.com/users/Org1/repos","events_url":"https://api.github.com/users/Org1/events{/privacy}","received_events_url":"https://api.github.com/users/Org1/received_events","type":"Organization","site_admin":false},"html_url":"https://github.com/Org1/DH_TESTER","description":"DH_TEsTER","fork":false,"url":"https://github.com/Org1/DH_TESTER","forks_url":"https://api.github.com/repos/Org1/DH_TESTER/forks","keys_url":"https://api.github.com/repos/Org1/DH_TESTER/keys{/key_id}","collaborators_url":"https://api.github.com/repos/Org1/DH_TESTER/collaborators{/collaborator}","teams_url":"https://api.github.com/repos/Org1/DH_TESTER/teams","hooks_url":"https://api.github.com/repos/Org1/DH_TESTER/hooks","issue_events_url":"https://api.github.com/repos/Org1/DH_TESTER/issues/events{/number}","events_url":"https://api.github.com/repos/Org1/DH_TESTER/events","assignees_url":"https://api.github.com/repos/Org1/DH_TESTER/assignees{/user}","branches_url":"https://api.github.com/repos/Org1/DH_TESTER/branches{/branch}","tags_url":"https://api.github.com/repos/Org1/DH_TESTER/tags","blobs_url":"https://api.github.com/repos/Org1/DH_TESTER/git/blobs{/sha}","git_tags_url":"https://api.github.com/repos/Org1/DH_TESTER/git/tags{/sha}","git_refs_url":"https://api.github.com/repos/Org1/DH_TESTER/git/refs{/sha}","trees_url":"https://api.github.com/repos/Org1/DH_TESTER/git/trees{/sha}","statuses_url":"https://api.github.com/repos/Org1/DH_TESTER/statuses/{sha}","languages_url":"https://api.github.com/repos/Org1/DH_TESTER/languages","stargazers_url":"https://api.github.com/repos/Org1/DH_TESTER/stargazers","contributors_url":"https://api.github.com/repos/Org1/DH_TESTER/contributors","subscribers_url":"https://api.github.com/repos/Org1/DH_TESTER/subscribers","subscription_url":"https://api.github.com/repos/Org1/DH_TESTER/subscription","commits_url":"https://api.github.com/repos/Org1/DH_TESTER/commits{/sha}","git_commits_url":"https://api.github.com/repos/Org1/DH_TESTER/git/commits{/sha}","comments_url":"https://api.github.com/repos/Org1/DH_TESTER/comments{/number}","issue_comment_url":"https://api.github.com/repos/Org1/DH_TESTER/issues/comments{/number}","contents_url":"https://api.github.com/repos/Org1/DH_TESTER/contents/{+path}","compare_url":"https://api.github.com/repos/Org1/DH_TESTER/compare/{base}...{head}","merges_url":"https://api.github.com/repos/Org1/DH_TESTER/merges","archive_url":"https://api.github.com/repos/Org1/DH_TESTER/{archive_format}{/ref}","downloads_url":"https://api.github.com/repos/Org1/DH_TESTER/downloads","issues_url":"https://api.github.com/repos/Org1/DH_TESTER/issues{/number}","pulls_url":"https://api.github.com/repos/Org1/DH_TESTER/pulls{/number}","milestones_url":"https://api.github.com/repos/Org1/DH_TESTER/milestones{/number}","notifications_url":"https://api.github.com/repos/Org1/DH_TESTER/notifications{?since,all,participating}","labels_url":"https://api.github.com/repos/Org1/DH_TESTER/labels{/name}","releases_url":"https://api.github.com/repos/Org1/DH_TESTER/releases{/id}","deployments_url":"https://api.github.com/repos/Org1/DH_TESTER/deployments","created_at":1709841354,"updated_at":"2024-03-08T17:54:58Z","pushed_at":1709946519,"git_url":"git://github.com/Org1/DH_TESTER.git","ssh_url":"git@github.com:Org1/DH_TESTER.git","clone_url":"https://github.com/Org1/DH_TESTER.git","svn_url":"https://github.com/Org1/DH_TESTER","homepage":null,"size":18,"stargazers_count":0,"watchers_count":0,"language":"Python","has_issues":true,"has_projects":true,"has_downloads":true,"has_wiki":false,"has_pages":false,"has_discussions":false,"forks_count":0,"mirror_url":null,"archived":false,"disabled":false,"open_issues_count":1,"license":null,"allow_forking":false,"is_template":false,"web_commit_signoff_required":false,"topics":[],"visibility":"private","forks":0,"open_issues":1,"watchers":0,"default_branch":"main","stargazers":0,"master_branch":"main","organization":"Org1","custom_properties":{}},"pusher":{"name":"ExampleUser1","email":"User1@fortinet.com"},"organization":{"login":"Org1","id":23552948,"node_id":"MDEyOk9yZ2FuaXphdGlvbjIzNTUyOTQ4","url":"https://api.github.com/orgs/Org1","repos_url":"https://api.github.com/orgs/Org1/repos","events_url":"https://api.github.com/orgs/Org1/events","hooks_url":"https://api.github.com/orgs/Org1/hooks","issues_url":"https://api.github.com/orgs/Org1/issues","members_url":"https://api.github.com/orgs/Org1/members{/member}","public_members_url":"https://api.github.com/orgs/Org1/public_members{/member}","avatar_url":"https://avatars.githubusercontent.com/u/23552948?v=4","description":null},"enterprise":{"id":132685,"slug":"dh-mei-enterprise","name":"dh-mei-enterprise","node_id":"E_kgDOAAIGTQ","avatar_url":"https://avatars.githubusercontent.com/b/132685?v=4","description":null,"website_url":null,"html_url":"https://github.com/enterprises/dh-mei-enterprise","created_at":"2024-03-07T20:52:55Z","updated_at":"2024-03-07T20:52:57Z"},"sender":{"login":"ExampleUser1","id":23548610,"node_id":"MDQ6VXNlcjIzNTQ4NjEw","avatar_url":"https://avatars.githubusercontent.com/u/23548610?v=4","gravatar_id":"","url":"https://api.github.com/users/ExampleUser1","html_url":"https://github.com/ExampleUser1","followers_url":"https://api.github.com/users/ExampleUser1/followers","following_url":"https://api.github.com/users/ExampleUser1/following{/other_user}","gists_url":"https://api.github.com/users/ExampleUser1/gists{/gist_id}","starred_url":"https://api.github.com/users/ExampleUser1/starred{/owner}{/repo}","subscriptions_url":"https://api.github.com/users/ExampleUser1/subscriptions","organizations_url":"https://api.github.com/users/ExampleUser1/orgs","repos_url":"https://api.github.com/users/ExampleUser1/repos","events_url":"https://api.github.com/users/ExampleUser1/events{/privacy}","received_events_url":"https://api.github.com/users/ExampleUser1/received_events","type":"User","site_admin":false},"created":false,"deleted":false,"forced":false,"base_ref":null,"compare":"https://github.com/Org1/DH_TESTER/compare/dbfa142e6111...ee67c6b54470","commits":[{"id":"ee67c6b544707af0d22f4f901c1cf2d748729fb8","tree_id":"631ce064279a99204114fedab7c40678285e596","distinct":true,"message":"Update new_file_1","timestamp":"2024-03-08T17:08:39-08:00","url":"https://github.com/Org1/DH_TESTER/commit/ee67c6b544707af0d94f4f901c1cf2d748729fb8","author":{"name":"ExampleUser1","email":"User1@fortinet.com","username":"ExampleUser1"},"committer":{"name":"GitHub","email":"noreply@github.com","username":"web-flow"},"added":[],"removed":[],"modified":["new_file_1"]}],"head_commit":{"id":"ee67c6b544707af0d94f4f901c1cf2d748729fb8","tree_id":"631ce064279a989204774fedab7c40678285e596","distinct":true,"message":"Update new_file_1","timestamp":"2024-03-08T17:08:39-08:00","url":"https://github.com/Org1/DH_TESTER/commit/ee67c6b544707af0d94f4f901c1cf2d748729fb8","author":{"name":"ExampleUser1","email":"User1@fortinet.com","username":"ExampleUser1"},"committer":{"name":"GitHub","email":"noreply@github.com","username":"web-flow"},"added":[],"removed":[],"modified":["new_file_1"]}}
    Previous
    Next