Update GitHub Data Model to display admin-add events instead of UNKNOWN_ROLE (#979)

Author: Evan Gibler

data_models/github_data_model.py

@@ -1,14 +1,20 @@
 import panther_event_type_helpers as event_type
 
+ADMIN_EVENTS = {
+    "business.add_admin",
+    "business.invite_admin",
+    "team.promote_maintainer",
+}
 
-def get_admin_role(_):
-    # github doesn't record the admin role in the event
-    return "<UNKNOWN_ROLE>"
+
+def get_admin_role(event):
+    action = event.get("action", "")
+    return action if action in ADMIN_EVENTS else "<UNKNOWN_ADMIN_ROLE>"
 
 
 def get_event_type(event):
-    if event.get("action") == "team.promote_maintainer":
+    if event.get("action", "") in ADMIN_EVENTS:
         return event_type.ADMIN_ROLE_ASSIGNED
-    if event.get("action") == "org.disable_two_factor_requirement":
+    if event.get("action", "") == "org.disable_two_factor_requirement":
         return event_type.MFA_DISABLED
     return None

rules/standard_rules/admin_assigned.yml

@@ -166,6 +166,33 @@ Tests:
         "p_log_type": "GitHub.Audit",
         "user": "bob"
       }
+  - Name: Github - Admin Added
+    ExpectedResult: true
+    Log:
+      {
+        "actor": "cat",
+        "action": "business.add_admin",
+        "p_log_type": "GitHub.Audit",
+        "user": "bob"
+      }
+  - Name: Github - Admin Invited
+    ExpectedResult: true
+    Log:
+      {
+        "actor": "cat",
+        "action": "business.invite_admin",
+        "p_log_type": "GitHub.Audit",
+        "user": "bob"
+      }
+  - Name: Github - Unknown Admin Role
+    ExpectedResult: false
+    Log:
+      {
+        "actor": "cat",
+        "action": "unknown.admin_role",
+        "p_log_type": "GitHub.Audit",
+        "user": "bob"
+      }
   -
     Name: Zendesk - Admin Role Downgraded
     ExpectedResult: false