Not going to get into super detail but webhook to get the push and pulls into Wazuh.

1 Configure wazuh to accept the logs inputs for github in ossec.conf

2. Create a decoader in using regex /var/ossec/etc/decoders/local_decoder.xml

<regex>.*”pull_request”:.*</regex>

<regex>.*”pusher”:.*</regex>

3. Create rules to file and record: /var/ossec/etc/rules/local_rules.xml

<rule id=”100100″ level=”3″> <decoded_as>github-push</decoded_as>

<rule id=”100101″ level=”3″> <decoded_as>github-pull</decoded_as>

Correlation rule /var/ossec/etc/rules/local_rules.xml

<field name=”user”>user</field> <list>pull_requests</list> <timeframe>3600</timeframe> <!– Set the timeframe to 1 hour –> <frequency>10</frequency>

That should smash it.