Minimum permissions to facilitate log ingestion

MohammedKhanIUK · ‎09-26-2024

Hi all,

I was wanting to get an understanding on what the minimum permissions available to enable the log flow between GitHub and Splunk cloud, as going by the documentation for the app, the account used to pull in the logs requires :
admin:enterprise Full control of enterprises
manage_billing:enterprise Read and write enterprise billing data
read:enterprise Read enterprise profile data

Can we reduce the amount of high privileged permissions required for the integration ?

sainag_splunk · ‎09-26-2024

I know for configuring all the audit events related to Github Enterprise and Github Organization from GitHub Cloud via modinputwith Account Type = Organization.
the Personal Access Token also needs the granted access - "admin:org".

MohammedKhanIUK · ‎09-26-2024

Can the permissions be limited to specific capabilities aside from admin:org for audit events? Or is that a fundamental requirement to pull in audit logs?

sainag_splunk · ‎09-26-2024

@MohammedKhanIUK I believe that's the requirement.

NOTE: To collect the audit-logs, the user should have admin access of the organization/enterprise and read:audit_log scope for the Personal Access Token.

https://docs.splunk.com/Documentation/AddOns/released/Github/Configureinputs

If this reply helps you an upvote and "Accept as Solution" is appreciated.

Minimum permissions to facilitate log ingestion

inputs.conf

Unlock New Opportunities with Splunk Education: Explore Our Latest Courses!

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk