splunk · derkkila-splunk · Dec 7, 2021 · Dec 1, 2021 · Dec 1, 2021 · Dec 2, 2021
diff --git a/README.md b/README.md
@@ -7,7 +7,7 @@ This App is designed to work across multiple GitHub data sources however not all
 The GitHub App for Splunk is designed to work with the following data sources:
 
 * [GitHub Audit Log Monitoring Add-On For Splunk](./docs/ghe_audit_logs.MD): Audit logs from GitHub Enterprise Cloud.
-* [Github.com Webhooks](./docs/github_webhooks.MD): A select set of webhook events like Push, PullRequest, and Repo.
+* [Github.com Webhooks](./docs/github_webhooks.MD): A select set of webhook events like Push, PullRequest, Code Scanning and Repo.
 * [Github Enterprise Server Syslog Forwarder](./docs/ghes_syslog_setup.MD): Audit and Application logs from Github Enterprise Server.
 * [Github Enterprise Collectd monitoring](./docs/splunk_collectd_forwarding_for_ghes.MD): Performance and Infrastructure metrics from Github Enterprise Server.
 
@@ -37,6 +37,9 @@ There is an *Integration Overview* dashboard listed under *Dashboards* that allo
 <details>
   <summary>Expand for screenshots</summary>
 
+#### Code Scanning Alerts
+  ![Code Scanning Dashboard](./docs/images/code_scanning_dashboard.png)
+
 #### Audit Log Dashboard
 
   ![Audit Log Dashboard](./docs/images/9F8E9A89-1203-4C0A-B227-C2FD1E17C8B0.jpg)

diff --git a/docs/github_webhooks.MD b/docs/github_webhooks.MD
@@ -64,4 +64,10 @@ Once that is complete and webhooks are triggering, you'll want to update the mac
 <td>Pull request reviews</td>
 <td>Pull request review submitted, edited, or dismissed.</td>
 </tr>
+<tr>
+<td>GitHub::CodeScanning</td>
+<td>Code scanning alerts</td>
+<td>Alerts identified by CodeQL and other 3rd party/OSS scanning tools.</td>
+</tr>
+
 </table>
diff --git a/docs/images/code_scanning_dashboard.png b/docs/images/code_scanning_dashboard.png
diff --git a/github_app_for_splunk/README.md b/github_app_for_splunk/README.md
@@ -1,13 +1,13 @@
 # GitHub App for Splunk
 
-The GitHub App for Splunk is a collection of out of the box dashboards and Splunk knowledge objects designed to give GitHub Admins and platform owners immediate visibility into GitHub.
+The GitHub App for Splunk is a collection of out of the box dashboards and Splunk knowledge objects designed to give GitHub Admins, platform owners, and Security Engineers immediate visibility into GitHub.
 
 This App is designed to work across multiple GitHub data sources however not all all required. You may choose to only collect a certain set of data and the parts of this app that utilize that set will function, while those that use other data sources will not function correctly, so please only use the Dashboards that relate to the data you are collecting.
 
 The GitHub App for Splunk is designed to work with the following data sources:
 
 * [GitHub Audit Log Monitoring Add-On For Splunk](./docs/ghe_audit_logs.MD): Audit logs from GitHub Enterprise Cloud.
-* [Github.com Webhooks]((./docs/github_webhooks.MD)): A select set of webhook events like Push, PullRequest, and Repo.
+* [Github.com Webhooks]((./docs/github_webhooks.MD)): A select set of webhook events like Push, PullRequest, Repo, and Code Scanning alerts.
 * [GitHub Enterprise Server Syslog Forwarder](https://docs.github.com/en/enterprise-server@3.0/admin/user-management/monitoring-activity-in-your-enterprise/log-forwarding): Audit and Application logs from GitHub Enterprise Server.
 * [GitHub Enterprise Collectd monitoring](./docs/splunk_collectd_forwarding_for_ghes.MD): Performance and Infrastructure metrics from GitHub Enterprise Server.
 

diff --git a/github_app_for_splunk/default/data/ui/nav/default.xml b/github_app_for_splunk/default/data/ui/nav/default.xml
@@ -8,8 +8,9 @@
     <view name="repository_audit" />
     <view name="user_audit" />
   </collection>
-  <collection label="Security">
+  <collection label="Advanced Security">
     <view name="security_alert_overview" />
+    <view name="code_scanning_overview" />
   </collection>
   <collection label="Developer Insights">
     <view name="value_stream_analytics" />

diff --git a/github_app_for_splunk/default/data/ui/views/code_scanning_overview.xml b/github_app_for_splunk/default/data/ui/views/code_scanning_overview.xml
@@ -0,0 +1,192 @@
+<form theme="light">
+  <label>Code Scanning Alerts</label>
+  <search id="baseSearch">
+    <query>
+      `github_webhooks` (eventtype="GitHub::CodeScanning" OR eventtype="GitHub::Push") | eval action='action', tool=if(isnotnull('alert.tool.name'),'alert.tool.name','unknown'), repository=if(isnotnull('repository.name'),'repository.name','unknown'), severity=if(isnotnull('alert.rule.security_severity_level'),'alert.rule.security_severity_level','none'), create_time=if(isnotnull('alert.created_at'),'alert.created_at','unknown'), received_time='_time', alert_url=if(isnotnull('alert.html_url'),'alert.html_url','unknown'), eventtype='eventtype', created=strptime(create_time, "%Y-%m-%dT%H:%M:%S%Z"), duration=received_time - created, duration_str=tostring(avg(duration), "duration")
+    </query>
+    <earliest>$timeTkn.earliest$</earliest>
+    <latest>$timeTkn.latest$</latest>
+    <sampleRatio>1</sampleRatio>
+  </search>
+  <fieldset submitButton="false" autoRun="true">
+    <input type="time" token="timeTkn" searchWhenChanged="true">
+      <label>Time Range</label>
+      <default>
+        <earliest>-24h@h</earliest>
+        <latest>now</latest>
+      </default>
+    </input>
+    <input type="multiselect" token="tool_name" searchWhenChanged="true">
+      <label>Tool</label>
+      <fieldForLabel>tool</fieldForLabel>
+      <fieldForValue>tool</fieldForValue>
+      <valuePrefix>"</valuePrefix>
+      <valueSuffix>"</valueSuffix>
+      <search base="baseSearch">
+        <query>| table tool | dedup tool</query>
+      </search>
+      <choice value="*">All</choice>
+      <default>*</default>
+      <initialValue>*</initialValue>
+    </input>
+    <input type="multiselect" token="repoTkn" searchWhenChanged="true">
+      <label>Repositories</label>
+      <choice value="*">All</choice>
+      <default>*</default>
+      <initialValue>*</initialValue>
+      <valuePrefix>"</valuePrefix>
+      <valueSuffix>"</valueSuffix>
+      <delimiter>,</delimiter>
+      <fieldForLabel>repository</fieldForLabel>
+      <fieldForValue>repository</fieldForValue>
+      <search base="baseSearch">
+        <query>| dedup repository | table repository</query>
+      </search>
+    </input>
+  </fieldset>
+  <row>
+    <panel>
+      <single>
+        <title>Created</title>
+        <search base="baseSearch">
+          <query>| search tool=$tool_name$ repository=$repoTkn$ action="created" | stats count</query>
+        </search>
+        <option name="drilldown">none</option>
+        <option name="height">50</option>
+        <option name="rangeColors">["0x53a051","0x0877a6","0xf8be34","0xf1813f","0xdc4e41"]</option>
+        <option name="refresh.display">progressbar</option>
+      </single>
+    </panel>
+    <panel>
+      <single>
+        <title>Fixed</title>
+        <search base="baseSearch">
+          <query>| search tool=$tool_name$ repository=$repoTkn$ action="fixed" | stats count</query>
+        </search>
+        <option name="drilldown">none</option>
+        <option name="height">50</option>
+        <option name="refresh.display">progressbar</option>
+      </single>
+    </panel>
+    <panel>
+      <single>
+        <title>Reopened</title>
+        <search base="baseSearch">
+          <query>| search tool=$tool_name$ repository=$repoTkn$ action="reopened" | stats count</query>
+        </search>
+        <option name="drilldown">none</option>
+        <option name="height">50</option>
+        <option name="refresh.display">progressbar</option>
+      </single>
+    </panel>
+  </row>
+  <row>
+    <panel>
+      <chart>
+        <title>Alert Found/Fixed Ratio</title>
+        <search base="baseSearch">
+          <query>| search tool=$tool_name$ repository=$repoTkn$ (action=created OR action=fixed)
+| timechart count(_raw)  by action 
+| accum created
+| accum fixed 
+| rename created as "Found" 
+| rename fixed as "Fixed"</query>
+        </search>
+        <option name="charting.axisTitleX.visibility">collapsed</option>
+        <option name="charting.chart">line</option>
+        <option name="charting.drilldown">none</option>
+        <option name="refresh.display">progressbar</option>
+        <option name="height">150</option>
+      </chart>
+    </panel>
+    <panel>
+      <chart>
+        <title>Commit/Alert Ratio</title>
+        <search base="baseSearch">
+          <query>| search  (eventtype="GitHub::Push" repository=$repoTkn$) OR ((action=created OR action=reopened) tool=$tool_name$ repository=$repoTkn$ )
+| timechart count(_raw)  by eventtype
+| accum "GitHub::Push"
+| accum "GitHub::CodeScanning"
+| rename GitHub::Push as "Pushes"
+| rename GitHub::CodeScanning as "Code Scanning Alerts"</query>
+        </search>
+        <option name="charting.axisTitleX.visibility">collapsed</option>
+        <option name="charting.axisY.scale">log</option>
+        <option name="charting.axisY2.enabled">1</option>
+        <option name="charting.chart">line</option>
+        <option name="charting.chart.overlayFields">DC_cumulative</option>
+        <option name="charting.drilldown">none</option>
+        <option name="charting.legend.mode">standard</option>
+        <option name="height">150</option>
+        <option name="refresh.display">progressbar</option>
+      </chart>
+    </panel>
+    <panel>
+      <chart>
+        <title>New Alerts by Tool</title>
+        <search base="baseSearch">
+          <query>| search tool=$tool_name$ repository=$repoTkn$ (action=created OR action=appeared_in_branch) | timechart count(_raw)  by tool</query>
+        </search>
+        <option name="charting.chart">column</option>
+        <option name="charting.chart.stackMode">stacked</option>
+        <option name="charting.drilldown">none</option>
+        <option name="height">150</option>
+        <option name="refresh.display">progressbar</option>
+      </chart>
+    </panel>
+  </row>
+  <row>
+    <panel>
+      <table>
+        <title>Fixed Alerts</title>
+        <search base="baseSearch">
+          <query> | search (action=fixed OR action=closed_by_user) repository=$repoTkn$ tool=$tool_name$
+| table repository, tool, alert_url,duration_str
+| rename repository AS "Repository" duration_str AS "Time to Resolution",tool AS "Tool", alert_url AS "Alert URL" 
+| sort -"Time to Resolution"
+          </query>
+        </search>
+        <option name="drilldown">none</option>
+      </table>
+    </panel>
+  </row>
+  <row>
+    <panel>
+      <table>
+        <title>Alerts by Severity</title>
+        <search base="baseSearch">
+          <query>| search (action=created OR action=reopened) repository=$repoTkn$ tool=$tool_name$ | chart usenull=f count  over repository by severity</query>
+        </search>
+        <option name="drilldown">none</option>
+        <format type="color" field="critical">
+          <colorPalette type="minMidMax" maxColor="#DC4E41" minColor="#FFFFFF"></colorPalette>
+          <scale type="minMidMax"></scale>
+        </format>
+        <format type="color" field="high">
+          <colorPalette type="minMidMax" maxColor="#F8BE34" minColor="#FFFFFF"></colorPalette>
+          <scale type="minMidMax"></scale>
+        </format>
+        <format type="color" field="medium">
+          <colorPalette type="minMidMax" maxColor="#62B3B2" minColor="#FFFFFF"></colorPalette>
+          <scale type="minMidMax"></scale>
+        </format>
+      </table>
+    </panel>
+    <panel>
+      <table>
+        <title>Alerts by Repo</title>
+        <search base="baseSearch">
+          <query>| search (action=created OR action=reopened)  repository=$repoTkn$ tool=$tool_name$| chart usenull=f count over repository by tool</query>
+        </search>
+        <option name="drilldown">none</option>
+        <option name="percentagesRow">false</option>
+        <option name="refresh.display">progressbar</option>
+        <option name="totalsRow">false</option>
+        <format type="color" field="repository.name">
+          <colorPalette type="minMidMax" maxColor="#53A051" minColor="#FFFFFF"></colorPalette>
+          <scale type="minMidMax"></scale>
+        </format>
+      </table>
+    </panel>
+  </row>
+</form>
diff --git a/github_app_for_splunk/default/data/ui/views/security_alert_overview.xml b/github_app_for_splunk/default/data/ui/views/security_alert_overview.xml
@@ -1,8 +1,8 @@
 <form>
-  <label>Security Alert Overview</label>
+  <label>Advanced Security Overview</label>
   <search id="baseSearch">
     <query>
-      index="github_webhook" alert.created_at=* | eval reason=if(isnotnull('alert.affected_package_name'),'alert.affected_package_name','alert.rule.name'), id=if(isnotnull('alert.external_identifier'),'alert.external_identifier','alert.rule.id'), severity=if(isnotnull('alert.severity'),'alert.severity','alert.rule.security_severity_level'), type=if(isnotnull('alert.external_identifier'),"vulnerability alert","code scanning alert") | stats latest(action) as status, earliest(alert.created_at) as created_at by repository.name, reason, id, type, severity | eval age = toString(round(now() - strptime(created_at, "%Y-%m-%dT%H:%M:%S")),"Duration")
+      `github_webhooks` alert.created_at=* | eval reason=if(isnotnull('alert.affected_package_name'),'alert.affected_package_name','alert.rule.name'), id=if(isnotnull('alert.external_identifier'),'alert.external_identifier','alert.rule.id'), severity=if(isnotnull('alert.severity'),'alert.severity','alert.rule.security_severity_level'), type=if(isnotnull('alert.external_identifier'),"Dependabot Alert","Code Scanning Alert") | stats latest(action) as status, earliest(alert.created_at) as created_at by repository.name, reason, id, type, severity | eval age = toString(round(now() - strptime(created_at, "%Y-%m-%dT%H:%M:%S")),"Duration")
     </query>
     <earliest>$timeTkn.earliest$</earliest>
     <latest>$timeTkn.latest$</latest>

diff --git a/github_app_for_splunk/default/data/ui/views/webhook_config.xml b/github_app_for_splunk/default/data/ui/views/webhook_config.xml
@@ -64,6 +64,12 @@
             <td>Pull request reviews</td>
             <td>Pull request review submitted, edited, or dismissed.</td>
           </tr>
+          <tr>
+            <td>GitHub::CodeScanning</td>
+            <td>Code Scanning alerts</td>
+            <td>Alert created, fixed, reopened, appeared in branch, closed by user, or reopened by user.</td>
+          </tr>
+
         </table>
       </html>
     </panel>

diff --git a/github_app_for_splunk/default/data/ui/views/welcome_page.xml b/github_app_for_splunk/default/data/ui/views/welcome_page.xml
@@ -39,6 +39,9 @@
               <li>The "Enterprise Server Monitor" drop down has several dashboards that report on the health and performance of your GHES environment</li>
               <li>"Audit" drop down works for GHES as well as GitHub.com audit logs</li>
               <li>The <a href="alerts">Alerts</a> menu item contains all GitHub recommended alerts</li>
+              <li><a href="audit_log_activity">Audit Log Activity</a> provides a highlevel overview of what activity is going on in GitHub.</li>
+              <li><a href="repository_audit">Repository Audit</a> lets you review changes to individual or groups of repositories </li>
+              <li><a href="user_audit">User Change Audit</a> is the best place to review actions taken by or made to individual users.</li>
             </ol>
           </p>
         </div>  
@@ -55,13 +58,12 @@
           }
         </style>
         <div>
-          <h2><b>Audit and Security</b></h2>
+          <h2><b>GitHub Advanced Security</b></h2>
           <p>
-            Security users will probably be most interested in the Audit dashboards
+            Open Source repositories and customers of GitHub Advanced Security have access to application security tooling such as Code Scanning, Secret Scanning, and Dependency Review.
             <ol>
-              <li><a href="audit_log_activity">Audit Log Activity</a> provides a highlevel overview of what activity is going on in GitHub.</li>
-              <li><a href="repository_audit">Repository Audit</a> lets you review changes to individual or groups of repositories </li>
-              <li><a href="user_audit">User Change Audit</a> is the best place to review actions taken by or made to individual users.</li>
+              <li>The <a href="security_alert_overview"> Advanced Security Overview</a> dashboard gives insight into the security posture of your GitHub Organization</li>
+              <li>The <a href="code_scanning_overview"> Code Scanning</a> dashboard gives you access to alerts created by Code Scanning within your Organization</li>
             </ol>
           </p>
         </div>  
@@ -85,7 +87,7 @@
             GitHub has several ways to collect data from their services depending on your needs. Information is available within the App on how to collect different types of data from GitHub:
             <ol>
               <li><a href="api_config">Audit Log</a> data is available through a Splunk Add-On</li>
-              <li><a href="webhook_config">Rich commit and pull request</a> data is available through GitHub Webhooks</li>
+              <li><a href="webhook_config">Rich commit, pull request, and Code Scanning</a> data is available through GitHub Webhooks</li>
             </ol>
           </p>
         </div>  

diff --git a/github_app_for_splunk/default/eventtypes.conf b/github_app_for_splunk/default/eventtypes.conf
@@ -27,3 +27,6 @@ search = `github_webhooks`  action IN ("created","edited","moved","deleted") "pr
 
 [GitHub::Workflow]
 search = `github_webhooks` action IN ("queued","created","started","completed") workflow_job.id=*
+
+[GitHub::CodeScanning]
+search = `github_webhooks` action IN ("appeared_in_branch", "closed_by_user", "created", "fixed", "reopened", "reopened_by_user") "alert.created_at"=*
diff --git a/github_app_for_splunk/default/props.conf b/github_app_for_splunk/default/props.conf
@@ -29,7 +29,7 @@ disabled = false
 pulldown_type = 1
 
 [github_json]
-DATETIME_CONFIG =
+DATETIME_CONFIG = CURRENT
 LINE_BREAKER = ([\r\n]+)
 NO_BINARY_CHECK = true
 TRUNCATE = 250000