QUESTION

I'm building a detection for specific topics (or labels) that have been added to GitHub repos. When a topic is added to a repo, it is captured as action = repo.add_topic. However, for subsequent GitHub Logs, that topic is lost and not preserved. How can I capture repo.add_topic events in GitHub Audit Logs with Panther?

ANSWER

This can be done using Panther's caching feature. See Panther's Stateful Detections (Caching) documentation for more information. With caching, detected topic values can be stored and retrieved in later detections. However, this data will not be available in the data lake. This solution is suitable for detections only and does not support querying.

How caching will work with the detection:

  1. Whenever Panther detects an event where a topic is added to a repo (action = repo.add_topic), you can use Panther's stateful caching capabilities to store this information. You can use the built-in helper functions to store the topic and associated repo information in the Panther-hosted DynamoDB table.

  2. Subsequent Events: With the caching set up, Panther can store the topics from previous events. Therefore, when you encounter subsequent logs related to the same repo, you can use the cached topic information from DynamoDB to “enrich” these logs with the relevant topic field.

  3. Detection Rules: With the enriched logs containing the topic information, you can then build your detection rules based on these topics. For instance, you could create rules to alert you whenever certain specific topics are added to repos, enabling you to monitor and respond to changes effectively.