improvements

Author: Patrick Bareiss

data_sources/github.yml …sources/github_enterprise_audit_logs.ymldata_sources/github.yml renamed to data_sources/github_enterprise_audit_logs.yml data_sources/github.yml renamed to data_sources/github_enterprise_audit_logs.yml

@@ -1,4 +1,4 @@
-name: GitHub
+name: GitHub Enterprise Audit Logs
 id: 8a4d656f-8801-4a2c-ae10-553d2696a59f
 version: 1
 date: '2025-01-15'

…ions/cloud/github_disable_dependabot.yml …github_enterprise_disable_dependabot.ymldetections/cloud/github_disable_dependabot.yml renamed to detections/cloud/github_enterprise_disable_dependabot.yml detections/cloud/github_disable_dependabot.yml renamed to detections/cloud/github_enterprise_disable_dependabot.yml

@@ -1,4 +1,4 @@
-name: GitHub Disable Dependabot
+name: GitHub Enterprise Disable Dependabot
 id: 787dd1c1-eb3a-4a31-8e8c-2ad24b214bc8
 version: 1
 date: '2025-01-14'
@@ -19,7 +19,7 @@ search: '`github_enterprise` action=repository_vulnerability_alerts.disable
   | stats count min(_time) as firstTime max(_time) as lastTime by actor, actor_id, actor_ip, actor_is_bot, actor_location.country_code, business, business_id, org, org_id, repo, repo_id, user, user_agent, user_id, action
   | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` 
   | `github_disable_dependabot_filter`'
-how_to_implement: You must ingest GitHub Enterprise logs using Audit log streaming as described in this documentation https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-streaming-to-splunk .
+how_to_implement: You must ingest GitHub Enterprise logs using Audit log streaming as described in this documentation https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-streaming-to-splunk using a Splunk HTTP Event Collector.
 known_false_positives: unknown
 references:
 - https://www.googlecloudcommunity.com/gc/Community-Blog/Monitoring-for-Suspicious-GitHub-Activity-with-Google-Security/ba-p/763610

macros/github_enterprise.yml

@@ -1,4 +1,4 @@
-definition: sourcetype=github:cloud:audit
+definition: source=http:github sourcetype=httpevent
 description: customer specific splunk configurations(eg- index, source, sourcetype).
   Replace the macro definition with configurations for your Splunk Environment.
 name: github_enterprise