SaaS Security
Onboard GitHub Enterprise for Identity Scans
Table of Contents
Expand All
|
Collapse All
SaaS Security Docs
-
-
- Begin Scanning an Amazon S3 App
- Begin Scanning a Bitbucket App
- Begin Scanning a Box App
- Begin Scanning ChatGPT Enterprise App
- Begin Scanning a Cisco Webex Teams App
- Begin Scanning a Confluence App
- Begin Scanning a Confluence Data Center App
- Begin Scanning a Dropbox App
- Begin Scanning a GitHub App
- Begin Scanning a Gmail App
- Begin Scanning a Google Chat App
- Begin Scanning a Google Cloud Storage App
- Begin Scanning a Google Drive App
- Begin Scanning a Jira App
- Begin Scanning a Jira Data Center App
- Begin Scanning a Microsoft Azure Storage App
- Begin Scanning a Microsoft Exchange App
- Begin Scanning a Microsoft Teams App
- Begin Scanning Office 365 Apps
- Begin Scanning a Salesforce App
- Begin Scanning a ServiceNow App
- Begin Scanning a ShareFile App
- Begin Scanning a Slack Enterprise App
- Begin Scanning a Slack for Pro and Business App
- Begin Scanning a Workday App
- Begin Scanning a Zendesk App
- Begin Scanning a Zoom App
- Perform Actions on Sanctioned Apps
- API Throttling
- Configure Classification Labels
- Microsoft Labeling for Office 365
- Google Drive Labeling
- Configure Phishing Analysis
- Configure WildFire Analysis
- Fine-Tune Policy
-
- What is an Incident?
- Filter Incidents
- Configure Slack Notification Alerts on Data Security
- Security Controls Incident Details
- Track Down Threats with WildFire Report
- Customize the Incident Categories
- Close Incidents
- Download Assets for Incidents
- View Asset Snippets for Incidents
- Modify Incident Status
- Email Asset Owners
- Generate Reports on Data Security
- Integrate CIE with Data Security
- Search in Data Security
-
-
- View Usage Data for Unsanctioned SaaS Apps
- SaaS Visibility Application Attributes
- How SaaS Security Inline Determines an App's Risk Score
- Identify Risky Unsanctioned SaaS Apps and Users
- Generate the SaaS Security Report
- Filter Unsanctioned SaaS Apps
-
- SaaS Policy Rule Recommendations
- App-ID Cloud Engine
- Guidelines for SaaS Policy Rule Recommendations
- Apply Predefined SaaS Policy Rule Recommendations
- Create SaaS Policy Rule Recommendations
- Enable SaaS Policy Rule Recommendations
- Monitor SaaS Policy Rule Recommendations
- Delete SaaS Policy Rule Recommendations
- Modify Active SaaS Policy Rule Recommendations
- Manage Enforcement of Rule Recommendations on Strata Cloud Manager
- Manage Enforcement of Rule Recommendations on Panorama
- Tag Discovered SaaS Apps
- Apply Tag Recommendations to Sanctioned Apps
- Change Risk Score for Discovered SaaS Apps
- Troubleshoot Issues on SaaS Security Inline
-
-
- New Features Introduced in December 2024
- New Features Introduced in November 2024
- New Features Introduced in October 2024
- New Features Introduced in August 2024
- New Features Introduced in July 2024
- New Features Introduced in June 2024
- New Features Introduced in May 2024
- New Features Introduced in April 2024
- New Features Introduced in March 2024
- New Features Introduced in January 2024
-
- New Features Introduced in November 2023
- New Features Introduced in October 2023
- New Features Introduced in September 2023
- New Features Introduced in August 2023
- New Features Introduced in July 2023
- New Features Introduced in June 2023
- New Features Introduced in May 2023
- New Features Introduced in April 2023
- New Features Introduced in March 2023
- New Features Introduced in January 2023
-
- New Features Introduced in December 2021
- New Features Introduced in October 2021
- New Features Introduced in September 2021
- New Features Introduced in August 2021
- New Features Introduced in July 2021
- New Features Introduced in June 2021
- New Features Introduced in May 2021
- New Features Introduced in March 2021
- New Features Introduced in January 2021
Something went wrong please try again later
Onboard GitHub Enterprise for Identity Scans
Learn how to connect a GitHub Enterprise instance to SSPM for identity account
scans.
For visibility into GitHub Enterprise account risks, you must onboard GitHub
Enterprise for identity scans. This onboarding process is separate from the
onboarding process for GitHub Enterprise configuration scans. Unlike other apps that
SSPM supports for identity account scans, the onboarding steps for configuration
scans will not enable SSPM to detect account risks. The normal onboarding steps can
enable scans that detect MFA issues, but cannot enable the scans that detect issues
with GitHub Enterprise accounts.
SSPM gets access to identity information for your GitHub Enterprise instance through
a GitHub App (PANW-SSPM-IDENTITY). During onboarding for identity scans, SSPM
prompts you to log into your GitLab Enterprise instance as an administrator. After
you log in, GitHub Enterprise prompts you to select an organization that you manage.
GitHub Enterprise then prompts you to install and grant permissions to the
PANW-SSPM-IDENTITY GitHub App. The permissions will enable SSPM to scan member and
audit log information to identify account risks.
By following
these steps, you can onboard only one organization. If you want SSPM to perform
identity scans for multiple organizations, you can onboard each organization
separately. When you later view account risks for your GitHub Enterprise instance,
the Identity Security dashboard will show information for all of the organizations
that you onboarded.
- Identify the GitHub Enterprise administrator account for granting SSPM access.Required Permissions: To grant SSPM the access that it requires, you must log in with an administrator account that has permission to the GitHub organization that SSPM will scan.After SSPM establishes the connection, it will run scans (Non-Human Identity Scans and Risky Account Scans) to detect issues with accounts for your GitHub Enterprise instance. SSPM will then run these scans at regular intervals. For SSPM to run these scans, the GitHub Enterprise account that you use to establish the initial connection must remain available. For this reason, we recommend that you use a dedicated service account to grant SSPM access. If you delete the service account, or uninstall the the PANW-SSPM-IDENTITY GitHub App, the scans will fail and you will need to onboard GitHub Enterprise for identity scans again.
- Sign out of all GitHub Enterprise accounts.Signing out of all GitHub Enterprise accounts helps ensure that you sign in under the correct account during the onboarding process. Some browsers can automatically sign you in by using saved credentials. To ensure that the browser does not automatically sign you in to the wrong account, you can turn off any automatic sign-in option or clear your saved credentials. Alternatively, you can prevent the browser from using saved credentials by opening the Cloud Management Console in an incognito window.
- Connect to your Github Enterprise instance and enable identity scans.
- Log in to Strata Cloud Manager.
- Select ManageConfigurationSaaS SecurityPosture SecurityIdentity and Add Provider.
- Click the Github Enterprise Identity tile, and Add New instance.
- Log in with Credentials.
- Connect.SSPM redirects you to the Github Enterprise login page.
- Enter the credentials for the administrator account that you identified earlier, and log in to GitHub Enterprise.
- Github Enterprise prompts you to select an organization. Select the organization that you want SSPM to scan for account risks.
- GitHub Enterprise prompts you to install and authorize the PANW-SSPM-IDENTITY GitHub App. Select All Repositories and Install & Authorize.