This version of GitHub Enterprise Server will be discontinued on 2025-08-27. No patch releases will be made, even for critical security issues. For better performance, improved security, and new features, upgrade to the latest version of GitHub Enterprise Server. For help with the upgrade, contact GitHub Enterprise support.

Audit log events for your enterprise

Review the events recorded in an enterprise's audit log.

Who can use this feature?

Enterprise owners and site administrators

Audit log events

account

account.plan_change: The account's plan changed.
Fields: actor, operation_type, _document_id, user_agent, created_at, actor_id, request_id, @timestamp, user, action, user_id, programmatic_access_type
Reference: How GitHub billing works

actions_cache

actions_cache.delete: A GitHub Actions cache was deleted using the REST API.
Fields: user_agent, request_id, actor, actor_id, oauth_application_id, user_id, user, repo_id, repo, org, org_id, actions_cache_id, actions_cache_key, actions_cache_version, actions_cache_scope, action, _document_id, @timestamp, created_at, operation_type, token_scopes, programmatic_access_type, request_access_security_header

api

api.request: An API request was made to an endpoint for the enterprise, or an enterprise owned resource. This event is only included if API Request Events is enabled in the enterprise's audit log settings. This event is only available via audit log streaming.
Fields: user_agent, request_id, request_method, query_string, hashed_token, programmatic_access_type, actor, actor_id, token_id, token_scopes, request_body, status_code, url_path, business, business_id, org, org_id, repo, repo_id, public_repo, user, user_id, action, _document_id, @timestamp, created_at, operation_type, route, rate_limit_remaining, actor_is_bot
Reference: Streaming the audit log for your enterprise

artifact

artifact.destroy: A workflow run artifact was manually deleted.
Fields: action, actor, user_agent, actor_id, repo, repo_id, request_id, @timestamp, created_at, _document_id, operation_type, programmatic_access_type

audit_log_streaming

audit_log_streaming.check: A manual check of the endpoint configured for audit log streaming was performed.
Fields: user_agent, request_id, actor, actor_id, audit_log_stream_result, business_id, business, action, _document_id, @timestamp, created_at, operation_type, audit_log_stream_sink_details, request_access_security_header

audit_log_streaming.create: An endpoint was added for audit log streaming.
Fields: user_agent, request_id, actor, actor_id, business_id, business, audit_log_stream_sink, action, _document_id, @timestamp, created_at, operation_type, audit_log_stream_id

audit_log_streaming.destroy: An audit log streaming endpoint was deleted.
Fields: user_agent, request_id, actor, actor_id, business_id, business, action, _document_id, @timestamp, created_at, operation_type, audit_log_stream_id, audit_log_stream_sink_details

audit_log_streaming.update: An endpoint configuration was updated for audit log streaming, such as the stream was paused, enabled, or disabled.
Fields: user_agent, request_id, actor, actor_id, audit_log_stream_enabled, business_id, business, audit_log_stream_sink, action, _document_id, @timestamp, created_at, operation_type, new_s3_bucket, old_s3_bucket, secrets_updated, new_s3_arn_role, old_s3_arn_role, new_azure_blob_container, old_azure_blob_container, new_event_hub_instance, old_event_hub_instance, new_splunk_domain, old_splunk_domain, ssl_verify, old_gc_bucket

billing

billing.change_billing_type: The way the account pays for GitHub was changed.
Fields: actor_id, user, @timestamp, actor, user_id, action, created_at, operation_type, _document_id, user_agent, request_id
Reference: Managing your payment and billing information

billing.change_email: The billing email address changed.
Fields: actor, operation_type, actor_id, org_id, @timestamp, user_agent, request_id, created_at, _document_id, org, email, action, request_access_security_header
Reference: Managing your payment and billing information

business

business.add_admin: An enterprise owner was added to an enterprise.
Fields: name, business, user, user_id, @timestamp, created_at, actor, actor_id, action, operation_type, request_id, business_id, _document_id, user_agent, programmatic_access_type, request_access_security_header
Reference: Inviting people to manage your enterprise

business.add_organization: An organization was added to an enterprise.
Fields: org_id, operation_type, @timestamp, actor, business_id, org, action, user_agent, actor_id, name, created_at, request_id, _document_id, business, organization_upgrade, request_access_security_header

business.advanced_security_policy_update: An enterprise owner created, updated, or removed a policy for GitHub Advanced Security.
Fields: user_agent, request_id, actor, actor_id, name, new_policy, business, business_id, action, operation_type, @timestamp, created_at, _document_id, request_access_security_header
Reference: Enforcing policies for code security and analysis for your enterprise

business.clear_actions_settings: An enterprise owner or site administrator cleared GitHub Actions policy settings for an enterprise.
Fields: user_agent, request_id, actor, actor_id, name, business, business_id, action, operation_type, @timestamp, created_at, _document_id
Reference: Enforcing policies for GitHub Actions in your enterprise

business.clear_default_repository_permission: An enterprise owner cleared the base repository permission policy setting for an enterprise.
Fields: name, operation_type, business_id, user_agent, actor_id, request_id, actor, _document_id, business, action, @timestamp, created_at
Reference: Enforcing repository management policies in your enterprise

business.clear_members_can_create_repos: An enterprise owner cleared a restriction on repository creation in organizations in the enterprise.
Fields: user_agent, actor_id, business_id, action, _document_id, request_id, name, business, visibility, created_at, actor, operation_type, @timestamp
Reference: Enforcing repository management policies in your enterprise

business.code_scanning_autofix_policy_update: The policy for Code scanning autofix was updated for an enterprise.
Fields: actor, actor_id, user_agent, request_id, name, new_policy, business, business_id, action, _document_id, @timestamp, created_at, operation_type, actor_is_bot, request_access_security_header

business.create: An enterprise was created.
Fields: actor_id, _document_id, action, @timestamp, request_id, name, business, business_id, operation_type, actor, created_at, user_agent, request_access_security_header

business.disable_open_scim: SCIM provisioning for custom integrations that use the REST API was disabled for the enterprise.
Fields: actor, actor_id, user_agent, request_id, business, business_id, action, _document_id, @timestamp, created_at, operation_type, request_access_security_header

business.disable_source_ip_disclosure: Display of IP addresses within audit log events for the enterprise was disabled.
Fields: actor, actor_id, user_agent, request_id, user, user_id, business, business_id, action, _document_id, @timestamp, created_at, operation_type
Reference: Displaying IP addresses in the audit log for your enterprise

business.disable_two_factor_requirement: The requirement for members to have two-factor authentication enabled to access an enterprise was disabled.
Fields: action, @timestamp, actor, business, operation_type, created_at, user_agent, business_id, actor_id, name, _document_id, request_id

business.enable_open_scim: SCIM provisioning for custom integrations that use the REST API was enabled for the enterprise.
Fields: actor, actor_id, user_agent, request_id, business, business_id, action, _document_id, @timestamp, created_at, operation_type

business.enable_source_ip_disclosure: Display of IP addresses within audit log events for the enterprise was enabled.
Fields: actor, actor_id, user_agent, request_id, user, user_id, business, business_id, action, _document_id, @timestamp, created_at, operation_type
Reference: Displaying IP addresses in the audit log for your enterprise

business.enable_two_factor_requirement: The requirement for members to have two-factor authentication enabled to access an enterprise was enabled.
Fields: actor_id, action, user_agent, actor, operation_type, created_at, business, business_id, name, _document_id, request_id, @timestamp

business.members_can_update_protected_branches.clear: An enterprise owner unset a policy for whether members of an enterprise can update protected branches on repositories for individual organizations. Organization owners can choose whether to allow updating protected branches settings.
Fields: user_id, action, created_at, actor, actor_id, @timestamp, request_id, business, name, operation_type, user, user_agent, business_id, _document_id

business.members_can_update_protected_branches.disable: The ability for enterprise members to update branch protection rules was disabled. Only enterprise owners can update protected branches.
Fields: user_agent, request_id, actor, actor_id, name, business, business_id, user, user_id, action, operation_type, @timestamp, created_at, _document_id

business.members_can_update_protected_branches.enable: The ability for enterprise members to update branch protection rules was enabled. Enterprise owners and members can update protected branches.
Fields: name, actor, operation_type, _document_id, business_id, user, @timestamp, business, actor_id, created_at, action, user_agent, request_id, user_id

business.remove_admin: An enterprise owner was removed from an enterprise.
Fields: actor, operation_type, user_agent, business, business_id, @timestamp, created_at, request_id, action, name, actor_id, user_id, _document_id, user
Reference: Inviting people to manage your enterprise

business.remove_organization: An organization was removed from an enterprise.
Fields: org_id, action, business, actor, actor_id, request_id, created_at, user_agent, business_id, operation_type, @timestamp, _document_id, name, org

business.rename_slug: The slug for the enterprise URL was renamed.
Fields: request_id, name, business_id, user_agent, action, actor_id, operation_type, actor, @timestamp, created_at, business, _document_id

business.revoke_sso_session: The SAML single sign-on session for a member in an enterprise was revoked.
Fields: business_id, user_agent, request_id, user, operation_type, actor, _document_id, actor_id, name, @timestamp, user_id, action, created_at, business

business.set_actions_fork_pr_approvals_policy: The policy for requiring approvals for workflows from public forks was changed for an enterprise.
Fields: user_agent, request_id, actor, actor_id, name, policy, business, business_id, action, _document_id, @timestamp, created_at, operation_type
Reference: Enforcing policies for GitHub Actions in your enterprise

business.set_actions_private_fork_pr_approvals_policy: The policy for requiring approval for fork pull request workflows from collaborators without write access to private repos was changed for an enterprise.
Fields: actor, actor_id, user_agent, request_id, name, policy, business, business_id, action, _document_id, @timestamp, created_at, operation_type, request_access_security_header
Reference: Enforcing policies for GitHub Actions in your enterprise

business.set_actions_retention_limit: The retention period for GitHub Actions artifacts and logs was changed for an enterprise.
Fields: user_agent, request_id, actor, actor_id, name, limit, business, business_id, action, operation_type, @timestamp, created_at, _document_id
Reference: Enforcing policies for GitHub Actions in your enterprise

business.set_default_workflow_permissions: The default permissions granted to the GITHUB_TOKEN when running workflows were changed for an enterprise.
Fields: actor, actor_id, user_agent, request_id, name, business, business_id, action, _document_id, @timestamp, created_at, operation_type, request_access_security_header
Reference: Enforcing policies for GitHub Actions in your enterprise

business.set_fork_pr_workflows_policy: The policy for fork pull request workflows was changed for an enterprise.
Fields: user_agent, request_id, actor, actor_id, name, policy, business, business_id, action, operation_type, @timestamp, created_at, _document_id, request_access_security_header
Reference: Enforcing policies for GitHub Actions in your enterprise

business.set_workflow_permission_can_approve_pr: The policy for allowing GitHub Actions to create and approve pull requests was changed for an enterprise.
Fields: actor, actor_id, user_agent, request_id, name, business, business_id, action, _document_id, @timestamp, created_at, operation_type, request_access_security_header
Reference: Enforcing policies for GitHub Actions in your enterprise

business.sso_response: A SAML single sign-on (SSO) response was generated when a member attempted to authenticate with your enterprise. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.
Fields: issuer, name, user_agent, action, @timestamp, _document_id, actor, business, business_id, actor_id, created_at, request_id, operation_type, request_access_security_header

business.update_actions_settings: An enterprise owner or site administrator updated GitHub Actions policy settings for an enterprise.
Fields: user_agent, request_id, actor, actor_id, name, business, business_id, action, operation_type, @timestamp, created_at, _document_id, updated_github_owned_allowed, updated_verified_allowed, updated_patterns, new_policy, old_policy, updated_access_policy
Reference: Enforcing policies for GitHub Actions in your enterprise

business.update_default_repository_permission: The base repository permission setting was updated for all organizations in an enterprise.
Fields: business_id, operation_type, user_agent, actor, actor_id, permission, action, created_at, @timestamp, request_id, name, _document_id, old_permission, business
Reference: Enforcing repository management policies in your enterprise

business.update_member_repository_creation_permission: The repository creation setting was updated for an enterprise.
Fields: created_at, _document_id, request_id, name, business_id, actor, actor_id, @timestamp, operation_type, permission, action, business, user_agent, visibility
Reference: Enforcing repository management policies in your enterprise

business.update_member_repository_invitation_permission: The policy setting for enterprise members inviting outside collaborators to repositories was updated.
Fields: business_id, created_at, action, operation_type, @timestamp, request_id, permission, actor, actor_id, name, _document_id, user_agent, business
Reference: Enforcing repository management policies in your enterprise

business_advanced_security

business_advanced_security.disabled: GitHub Advanced Security was disabled for your enterprise.
Fields: actor, actor_id, user_agent, request_id, user, user_id, business, business_id, action, _document_id, @timestamp, created_at, operation_type, request_access_security_header
Reference: Managing GitHub Advanced Security features for your enterprise

business_advanced_security.disabled_for_new_repos: GitHub Advanced Security was disabled for new repositories in your enterprise.
Fields: actor, actor_id, user_agent, request_id, user, user_id, business, business_id, action, _document_id, @timestamp, created_at, operation_type
Reference: Managing GitHub Advanced Security features for your enterprise

business_advanced_security.disabled_for_new_user_namespace_repos: GitHub Advanced Security was disabled for new user namespace repositories in your enterprise.
Fields: actor, actor_id, user_agent, request_id, user, user_id, business, business_id, action, _document_id, @timestamp, created_at, operation_type, actor_is_bot, request_access_security_header
Reference: Managing GitHub Advanced Security features for your enterprise

business_advanced_security.enabled: GitHub Advanced Security was enabled for your enterprise.
Fields: actor, actor_id, user_agent, request_id, user, user_id, business, business_id, action, _document_id, @timestamp, created_at, operation_type
Reference: Managing GitHub Advanced Security features for your enterprise

business_advanced_security.enabled_for_new_repos: GitHub Advanced Security was enabled for new repositories in your enterprise.
Fields: actor, actor_id, user_agent, request_id, user, user_id, business, business_id, action, _document_id, @timestamp, created_at, operation_type
Reference: Managing GitHub Advanced Security features for your enterprise

business_advanced_security.enabled_for_new_user_namespace_repos: GitHub Advanced Security was enabled for new user namespace repositories in your enterprise.
Fields: actor, actor_id, user_agent, request_id, user, user_id, business, business_id, action, _document_id, @timestamp, created_at, operation_type, actor_is_bot, request_access_security_header
Reference: Managing GitHub Advanced Security features for your enterprise

business_advanced_security.user_namespace_repos_disabled: GitHub Advanced Security was disabled for user namespace repositories in your enterprise.
Fields: actor, actor_id, user_agent, request_id, user, user_id, business, business_id, action, _document_id, @timestamp, created_at, operation_type, actor_is_bot
Reference: Managing GitHub Advanced Security features for your enterprise

business_advanced_security.user_namespace_repos_enabled: GitHub Advanced Security was enabled for user namespace repositories in your enterprise.
Fields: actor, actor_id, user_agent, request_id, user, user_id, business, business_id, action, _document_id, @timestamp, created_at, operation_type, actor_is_bot, request_access_security_header
Reference: Managing GitHub Advanced Security features for your enterprise

business_dependabot_alerts_new_repos

business_dependabot_alerts_new_repos.disable: Dependabot alerts were disabled for new repositories in your enterprise.
Fields: actor, actor_id, user_agent, request_id, user, user_id, business, business_id, action, _document_id, @timestamp, created_at, operation_type

business_dependabot_alerts_new_repos.enable: Dependabot alerts were enabled for new repositories in your enterprise.
Fields: actor, actor_id, user_agent, request_id, user, user_id, business, business_id, action, _document_id, @timestamp, created_at, operation_type

business_secret_scanning_automatic_validity_checks

business_secret_scanning_automatic_validity_checks.disabled: Automatic partner validation checks have been disabled at the business level
Fields: actor, actor_id, user_agent, request_id, user, user_id, business, business_id, action, _document_id, @timestamp, created_at, operation_type
Reference: Managing GitHub Advanced Security features for your enterprise

business_secret_scanning_automatic_validity_checks.enabled: Automatic partner validation checks have been enabled at the business level
Fields: actor, actor_id, user_agent, request_id, user, user_id, business, business_id, action, _document_id, @timestamp, created_at, operation_type
Reference: Managing GitHub Advanced Security features for your enterprise

business_secret_scanning_custom_pattern

business_secret_scanning_custom_pattern.create: An enterprise-level custom pattern was created for secret scanning.
Fields: user_agent, request_id, actor, actor_id, user, user_id, business, business_id, action, _document_id, @timestamp, created_at, operation_type, request_access_security_header
Reference: Defining custom patterns for secret scanning

business_secret_scanning_custom_pattern.delete: An enterprise-level custom pattern was removed from secret scanning.
Fields: user_agent, request_id, actor, actor_id, user, user_id, business, business_id, action, _document_id, @timestamp, created_at, operation_type

business_secret_scanning_custom_pattern.publish: An enterprise-level custom pattern was published for secret scanning.
Fields: actor, actor_id, user_agent, request_id, user, user_id, business, business_id, action, _document_id, @timestamp, created_at, operation_type, request_access_security_header

business_secret_scanning_custom_pattern.update: Changes to an enterprise-level custom pattern were saved and a dry run was executed for secret scanning.
Fields: user_agent, request_id, actor, actor_id, user, user_id, business, business_id, action, _document_id, @timestamp, created_at, operation_type

business_secret_scanning_custom_pattern_push_protection

business_secret_scanning_custom_pattern_push_protection.disabled: Push protection for a custom pattern for secret scanning was disabled for your enterprise.
Fields: actor, actor_id, user_agent, request_id, user, user_id, business, business_id, action, _document_id, @timestamp, created_at, operation_type
Reference: Defining custom patterns for secret scanning

business_secret_scanning_custom_pattern_push_protection.enabled: Push protection for a custom pattern for secret scanning was enabled for your enterprise.
Fields: actor, actor_id, user_agent, request_id, user, user_id, business, business_id, action, _document_id, @timestamp, created_at, operation_type, request_access_security_header
Reference: Defining custom patterns for secret scanning

business_secret_scanning

business_secret_scanning.disable: Secret scanning was disabled for your enterprise.
Fields: actor, actor_id, user_agent, request_id, user, user_id, business, business_id, action, _document_id, @timestamp, created_at, operation_type
Reference: Managing GitHub Advanced Security features for your enterprise

business_secret_scanning.disabled_for_new_repos: Secret scanning was disabled for new repositories in your enterprise.
Fields: actor, actor_id, user_agent, request_id, user, user_id, business, business_id, action, _document_id, @timestamp, created_at, operation_type
Reference: Managing GitHub Advanced Security features for your enterprise

business_secret_scanning.enable: Secret scanning was enabled for your enterprise.
Fields: actor, actor_id, user_agent, request_id, user, user_id, business, business_id, action, _document_id, @timestamp, created_at, operation_type
Reference: Managing GitHub Advanced Security features for your enterprise

business_secret_scanning.enabled_for_new_repos: Secret scanning was enabled for new repositories in your enterprise.
Fields: actor, actor_id, user_agent, request_id, user, user_id, business, business_id, action, _document_id, @timestamp, created_at, operation_type
Reference: Managing GitHub Advanced Security features for your enterprise

business_secret_scanning_non_provider_patterns

business_secret_scanning_non_provider_patterns.disabled: Secret scanning for non-provider patterns was disabled at the enterprise level.
Fields: actor, actor_id, user_agent, request_id, user, user_id, business, business_id, action, _document_id, @timestamp, created_at, operation_type, actor_is_bot
Reference: Supported secret scanning patterns

business_secret_scanning_non_provider_patterns.enabled: Secret scanning for non-provider patterns was enabled at the enterprise level.
Fields: actor, actor_id, user_agent, request_id, user, user_id, business, business_id, action, _document_id, @timestamp, created_at, operation_type, actor_is_bot
Reference: Supported secret scanning patterns

business_secret_scanning_push_protection_custom_message

business_secret_scanning_push_protection_custom_message.disable: The custom message triggered by an attempted push to a push-protected repository was disabled for your enterprise.
Fields: actor, actor_id, user_agent, request_id, user, user_id, business, business_id, action, _document_id, @timestamp, created_at, operation_type
Reference: Managing GitHub Advanced Security features for your enterprise

business_secret_scanning_push_protection_custom_message.enable: The custom message triggered by an attempted push to a push-protected repository was enabled for your enterprise.
Fields: actor, actor_id, user_agent, request_id, user, user_id, business, business_id, action, _document_id, @timestamp, created_at, operation_type
Reference: Managing GitHub Advanced Security features for your enterprise

business_secret_scanning_push_protection_custom_message.update: The custom message triggered by an attempted push to a push-protected repository was updated for your enterprise.
Fields: actor, actor_id, user_agent, request_id, user, user_id, business, business_id, action, _document_id, @timestamp, created_at, operation_type
Reference: Managing GitHub Advanced Security features for your enterprise

business_secret_scanning_push_protection

business_secret_scanning_push_protection.disable: Push protection for secret scanning was disabled for your enterprise.
Fields: actor, actor_id, user_agent, request_id, user, user_id, business, business_id, action, _document_id, @timestamp, created_at, operation_type
Reference: Managing GitHub Advanced Security features for your enterprise

business_secret_scanning_push_protection.disabled_for_new_repos: Push protection for secret scanning was disabled for new repositories in your enterprise.
Fields: actor, actor_id, user_agent, request_id, user, user_id, business, business_id, action, _document_id, @timestamp, created_at, operation_type
Reference: Managing GitHub Advanced Security features for your enterprise

business_secret_scanning_push_protection.enable: Push protection for secret scanning was enabled for your enterprise.
Fields: actor, actor_id, user_agent, request_id, user, user_id, business, business_id, action, _document_id, @timestamp, created_at, operation_type
Reference: Managing GitHub Advanced Security features for your enterprise

business_secret_scanning_push_protection.enabled_for_new_repos: Push protection for secret scanning was enabled for new repositories in your enterprise.
Fields: actor, actor_id, user_agent, request_id, user, user_id, business, business_id, action, _document_id, @timestamp, created_at, operation_type
Reference: Managing GitHub Advanced Security features for your enterprise

business_secret_scanning_push_protection_pattern_configuration

business_secret_scanning_push_protection_pattern_configuration.push_protection_setting_changed: The push protection setting was changed for a secret type for your enterprise.
Fields: actor, actor_id, user_agent, request_id, user, user_id, business, business_id, action, _document_id, @timestamp, created_at, secret_type, secret_type_display_name, push_protection_setting
Reference: Managing GitHub Advanced Security features for your enterprise

business_secret_scanning_push_protection_pattern_configuration.updated: The push protection pattern configuration was updated for your enterprise.
Fields: actor, actor_id, user_agent, request_id, user, user_id, business, business_id, action, _document_id, @timestamp
Reference: Managing GitHub Advanced Security features for your enterprise

checks

checks.auto_trigger_disabled: Automatic creation of check suites was disabled on a repository in the organization or enterprise.
Fields: visibility, user_agent, user, @timestamp, repo, actor_id, user_id, action, created_at, actor, operation_type, request_id, repo_id, _document_id
Reference: /rest/checks#update-repository-preferences-for-check-suites

checks.auto_trigger_enabled: Automatic creation of check suites was enabled on a repository in the organization or enterprise.
Fields: user_agent, request_id, actor, actor_id, visibility, repo, repo_id, user, user_id, action, operation_type, @timestamp, created_at, _document_id, public_repo
Reference: /rest/checks#update-repository-preferences-for-check-suites

checks.delete_logs: Logs in a check suite were deleted.
Fields: @timestamp, actor, actor_id, operation_type, repo_id, action, created_at, _document_id, user_agent, request_id, repo, programmatic_access_type

code

code.search: A code search was run targeting an organization. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.
Fields: @timestamp, action, actor_id, business_id, query, org_id, user_id, _document_id, search_string
Reference: /search-github/github-code-search

codespaces

codespaces.allow_permissions: A codespace using custom permissions from its devcontainer.json file was launched.
Fields: user_agent, request_id, actor, actor_id, origin_repository, action, _document_id, @timestamp, created_at, operation_type

codespaces.connect: Credentials for a codespace were refreshed.
Fields: user_agent, request_id, actor, actor_id, repository_id, repository, pull_request_id, user_id, org_id, owner, name, action, operation_type, @timestamp, created_at, _document_id, public_repo, token_scopes, programmatic_access_type, actor_is_bot, machine_type, devcontainer_path

codespaces.create: A codespace was created
Fields: user_agent, request_id, actor, actor_id, repository_id, repository, pull_request_id, owner, name, action, operation_type, @timestamp, created_at, _document_id, token_scopes, programmatic_access_type, actor_is_bot, machine_type, devcontainer_path
Reference: Creating a codespace for a repository

codespaces.destroy: A user deleted a codespace.
Fields: user_agent, request_id, actor, actor_id, repository_id, repository, pull_request_id, owner, name, action, operation_type, @timestamp, created_at, _document_id, token_scopes, programmatic_access_type
Reference: Deleting a codespace

codespaces.export_environment: A codespace was exported to a branch on GitHub.
Fields: user_agent, request_id, actor, actor_id, oauth_application_id, owner, action, _document_id, @timestamp, created_at, operation_type, public_repo

codespaces.restore: A codespace was restored.
Fields: user_agent, request_id, actor, actor_id, owner, repo, repo_id, public_repo, action, _document_id, @timestamp, created_at, operation_type

codespaces.start_environment: A codespace was started.
Fields: actor, actor_id, user_agent, request_id, name, org, owner, pull_request_id, machine_type, user_id, user, devcontainer_path, repo, repo_id, public_repo, action, _document_id, @timestamp, created_at, operation_type, request_access_security_header

codespaces.suspend_environment: A codespace was stopped.
Fields: user_agent, request_id, actor, actor_id, owner, action, operation_type, @timestamp, created_at, _document_id, public_repo, token_scopes, programmatic_access_type

codespaces.trusted_repositories_access_update: A personal account's access and security setting for Codespaces were updated.
Fields: user_agent, request_id, actor, actor_id, business, org, org_id, action, operation_type, @timestamp, created_at, _document_id
Reference: Managing access to other repositories within your codespace

copilot

copilot.cfb_seat_added: A Copilot Business or Copilot Enterprise seat was added for a user and they have received access to GitHub Copilot. This can occur as the result of directly assigning a seat for a user, assigning a seat for a team, or setting the organization to allow access for all members.
Fields: user_agent, request_id, token_id, hashed_token, programmatic_access_type, actor, actor_id, user, user_id, action, _document_id, @timestamp, created_at, operation_type, business, business_id, request_access_security_header

copilot.cfb_seat_assignment_created: A Copilot Business or Copilot Enterprise seat assignment was newly created for a user or a team, and seats are being created.
Fields: actor, actor_id, user_agent, request_id, action, _document_id, @timestamp, created_at, operation_type, request_access_security_header
Reference: What is GitHub Copilot?

copilot.cfb_seat_assignment_refreshed: A seat assignment that was previously pending cancellation was re-assigned and the user will retain access to Copilot.
Fields: user_agent, request_id, hashed_token, programmatic_access_type, actor, actor_id, token_id, token_scopes, org, org_id, action, _document_id, @timestamp, created_at, operation_type, business, business_id, request_access_security_header

copilot.cfb_seat_assignment_reused: A Copilot Business or Copilot Enterprise seat assignment was re-created for a user who already had a seat with no pending cancellation date, and the user will retain access to Copilot.
Fields: actor, actor_id, user_agent, request_id, org, org_id, action, _document_id, @timestamp, created_at, operation_type

copilot.cfb_seat_assignment_unassigned: A user or team's Copilot Business or Copilot Enterprise seat assignment was unassigned, and the user(s) will lose access to Copilot at the end of the current billing cycle.
Fields: actor, actor_id, user_agent, request_id, org, org_id, action, _document_id, @timestamp, created_at, operation_type, business, business_id, request_access_security_header

copilot.cfb_seat_cancelled: A user's Copilot Business or Copilot Enterprise seat was canceled, and the user no longer has access to Copilot.
Fields: actor, actor_id, user_agent, request_id, user, user_id, action, _document_id, @timestamp, created_at, operation_type, seat_assignment, request_access_security_header

copilot.cfb_seat_cancelled_by_staff: A user's Copilot Business or Copilot Enterprise seat was canceled manually by GitHub staff, and the user no longer has access to Copilot.
Fields: actor, actor_id, user_agent, request_id, user_id, user, org, org_id, action, _document_id, @timestamp, created_at, operation_type, business, business_id

custom_property_definition

custom_property_definition.create: A new custom property definition was created.
Fields: actor, actor_id, user_agent, request_id, property_name, action, _document_id, @timestamp, created_at, operation_type, business, business_id, value_type, required, default_value, definition_id
Reference: /organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization

custom_property_definition.destroy: A custom property definition was deleted.
Fields: actor, actor_id, user_agent, request_id, property_name, action, _document_id, @timestamp, created_at, operation_type, business, business_id, value_type, required, default_value, definition_id, allowed_values
Reference: /organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization

custom_property_definition.update: A custom property definition was updated.
Fields: actor, actor_id, user_agent, request_id, property_name, action, _document_id, @timestamp, created_at, operation_type, value_type, required, default_value, old_allowed_values, allowed_values, definition_id, old_required, old_default_value, old_value_type, old_values_editable_by, values_editable_by, request_access_security_header
Reference: /organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization

custom_property_value

custom_property_value.create: A repository's custom property value was manually set for the first time.
Fields: actor, actor_id, user_agent, request_id, definition_id, property_name, value, repo, repo_id, public_repo, org, org_id, action, _document_id, @timestamp, created_at, operation_type, business, business_id, actor_is_bot, request_access_security_header
Reference: /organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization

custom_property_value.destroy: A repository's custom property value was deleted.
Fields: actor, actor_id, user_agent, request_id, repository, repository_id, public_repo, action, _document_id, @timestamp, created_at, operation_type, request_access_security_header
Reference: /organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization

custom_property_value.update: A repository's custom property value was updated.
Fields: actor, actor_id, user_agent, request_id, repository, repository_id, public_repo, action, _document_id, @timestamp, created_at, operation_type, definition_id
Reference: /organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization

dependabot_alerts

dependabot_alerts.disable: Dependabot alerts were disabled for all existing repositories.
Fields: user_agent, request_id, actor, actor_id, user, user_id, org, org_id, action, operation_type, @timestamp, created_at, _document_id
Reference: /organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-for-all-existing-repositories

dependabot_alerts.enable: Dependabot alerts were enabled for all existing repositories.
Fields: user_agent, request_id, actor, actor_id, created_at, user, user_id, org, org_id, action, operation_type, @timestamp, _document_id
Reference: /organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-for-all-existing-repositories

dependabot_alerts_new_repos

dependabot_alerts_new_repos.disable: Dependabot alerts were disabled for all new repositories.
Fields: user_agent, request_id, actor, actor_id, created_at, user, user_id, org, org_id, action, operation_type, @timestamp, _document_id
Reference: /organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-automatically-when-new-repositories-are-added

dependabot_alerts_new_repos.enable: Dependabot alerts were enabled for all new repositories.
Fields: user_agent, request_id, actor, actor_id, user, user_id, org, org_id, action, operation_type, @timestamp, created_at, _document_id
Reference: /organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-automatically-when-new-repositories-are-added

dependabot_repository_access

dependabot_repository_access.repositories_updated: The repositories that Dependabot can access were updated.
Fields: user_agent, request_id, actor, actor_id, org, org_id, action, operation_type, @timestamp, created_at, _document_id

dependabot_security_updates

dependabot_security_updates.disable: Dependabot security updates were disabled for all existing repositories.
Fields: user_agent, request_id, actor, actor_id, user, user_id, org, org_id, action, operation_type, @timestamp, created_at, _document_id
Reference: /organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization

dependabot_security_updates.enable: Dependabot security updates were enabled for all existing repositories.
Fields: user_agent, request_id, actor, actor_id, created_at, user, user_id, org, org_id, action, operation_type, @timestamp, _document_id

dependabot_security_updates_new_repos

dependabot_security_updates_new_repos.disable: Dependabot security updates were disabled for all new repositories.
Fields: user_agent, request_id, actor, actor_id, created_at, user, user_id, org, org_id, action, operation_type, @timestamp, _document_id
Reference: /organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization

dependabot_security_updates_new_repos.enable: Dependabot security updates were enabled for all new repositories.
Fields: user_agent, request_id, actor, actor_id, user, user_id, org, org_id, action, operation_type, @timestamp, created_at, _document_id

dependency_graph

dependency_graph.disable: The dependency graph was disabled for all existing repositories.
Fields: user_agent, request_id, actor, actor_id, created_at, user, user_id, org, org_id, action, operation_type, @timestamp, _document_id
Reference: /organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization

dependency_graph.enable: The dependency graph was enabled for all existing repositories.
Fields: user_agent, request_id, actor, actor_id, created_at, user, user_id, org, org_id, action, operation_type, @timestamp, _document_id

dependency_graph_new_repos

dependency_graph_new_repos.disable: The dependency graph was disabled for all new repositories.
Fields: user_agent, request_id, actor, actor_id, created_at, user, user_id, org, org_id, action, operation_type, @timestamp, _document_id
Reference: /organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization

dependency_graph_new_repos.enable: The dependency graph was enabled for all new repositories.
Fields: user_agent, request_id, actor, actor_id, created_at, user, user_id, org, org_id, action, operation_type, @timestamp, _document_id, request_access_security_header

discussion_post

discussion_post.destroy: Triggered when a team discussion post is deleted.
Fields: request_id, team, created_at, user_id, @timestamp, number, org, title, actor, actor_id, user, action, user_agent, operation_type, _document_id
Reference: /communities/moderating-comments-and-conversations/managing-disruptive-comments#deleting-a-comment

discussion_post.update: Triggered when a team discussion post is edited.
Fields: created_at, _document_id, title, user, user_agent, org, operation_type, actor_id, @timestamp, actor, team, action, org_id, request_id, user_id, number
Reference: /communities/moderating-comments-and-conversations/managing-disruptive-comments#editing-a-comment

discussion_post_reply

discussion_post_reply.destroy: Triggered when a reply to a team discussion post is deleted.
Fields: actor_id, action, @timestamp, user_agent, operation_type, user_id, actor, number, user, created_at, request_id, _document_id
Reference: /communities/moderating-comments-and-conversations/managing-disruptive-comments#deleting-a-comment

discussion_post_reply.update: Triggered when a reply to a team discussion post is edited.
Fields: action, _document_id, request_id, org, @timestamp, actor_id, operation_type, user, user_id, org_id, user_agent, actor, number, team, created_at
Reference: /communities/moderating-comments-and-conversations/managing-disruptive-comments#editing-a-comment

enterprise_announcement

enterprise_announcement.create: A global announcement banner was created for the enterprise.
Fields: actor, actor_id, user_agent, request_id, owner, owner_type, business_id, message, action, _document_id, @timestamp, created_at, operation_type
Reference: Customizing user messages for your enterprise

enterprise_announcement.destroy: A global announcement banner was removed from the enterprise.
Fields: actor, actor_id, user_agent, request_id, owner, owner_type, business_id, action, _document_id, @timestamp, created_at, operation_type
Reference: Customizing user messages for your enterprise

enterprise_announcement.update: A global announcement banner was updated for the enterprise.
Fields: actor, actor_id, user_agent, request_id, owner, owner_type, business_id, message, old_message, action, _document_id, @timestamp, created_at, operation_type
Reference: Customizing user messages for your enterprise

enterprise_domain

enterprise_domain.approve: A domain was approved for an enterprise.
Fields: user_agent, request_id, actor, actor_id, owner_type, domain_name, business_id, owner, action, operation_type, @timestamp, created_at, _document_id
Reference: Verifying or approving a domain for your enterprise

enterprise_domain.create: A domain was added to an enterprise.
Fields: user_agent, request_id, actor, actor_id, created_at, owner_type, domain_name, owner, action, operation_type, @timestamp, _document_id
Reference: Verifying or approving a domain for your enterprise

enterprise_domain.destroy: A domain was removed from an enterprise.
Fields: user_agent, request_id, actor, actor_id, created_at, owner_type, domain_name, owner, action, operation_type, @timestamp, _document_id
Reference: Verifying or approving a domain for your enterprise

enterprise_domain.verify: A domain was verified for an enterprise.
Fields: user_agent, request_id, actor, actor_id, owner_type, domain_name, owner, action, operation_type, @timestamp, created_at, _document_id
Reference: Verifying or approving a domain for your enterprise

enterprise

enterprise.register_self_hosted_runner: A new GitHub Actions self-hosted runner was registered.
Fields: user_agent, request_id, actor, actor_id, business, business_id, action, operation_type, @timestamp, created_at, _document_id, request_access_security_header
Reference: Adding self-hosted runners

enterprise.remove_self_hosted_runner: A GitHub Actions self-hosted runner was removed.
Fields: user_agent, request_id, actor, actor_id, business, business_id, action, operation_type, @timestamp, created_at, _document_id, token_scopes, programmatic_access_type, request_access_security_header
Reference: Removing self-hosted runners

enterprise.runner_group_created: A GitHub Actions self-hosted runner group was created.
Fields: user_agent, request_id, actor, actor_id, runner_group_id, business, business_id, action, operation_type, @timestamp, created_at, _document_id, runner_group_restricted_to_workflows
Reference: Removing self-hosted runners

enterprise.runner_group_removed: A GitHub Actions self-hosted runner group was removed.
Fields: user_agent, request_id, actor, actor_id, runner_group_id, business, business_id, action, operation_type, @timestamp, created_at, _document_id
Reference: Managing access to self-hosted runners using groups

enterprise.runner_group_runner_removed: The REST API was used to remove a GitHub Actions self-hosted runner from a group.
Fields: user_agent, request_id, actor, actor_id, oauth_application_id, runner_group_id, runner_id, business, business_id, action, operation_type, @timestamp, created_at, _document_id
Reference: /rest/actions#remove-a-self-hosted-runner-from-a-group-for-an-organization

enterprise.runner_group_runners_added: A GitHub Actions self-hosted runner was added to a group.
Fields: user_agent, request_id, actor, actor_id, runner_group_id, business, business_id, action, operation_type, @timestamp, created_at, _document_id, request_access_security_header
Reference: Managing access to self-hosted runners using groups

enterprise.runner_group_runners_updated: A GitHub Actions runner group's list of members was updated.
Fields: user_agent, request_id, actor, actor_id, oauth_application_id, runner_group_id, business, business_id, action, operation_type, @timestamp, created_at, _document_id
Reference: /rest/actions#set-self-hosted-runners-in-a-group-for-an-organization

enterprise.runner_group_updated: The configuration of a GitHub Actions self-hosted runner group was changed.
Fields: user_agent, request_id, actor, actor_id, runner_group_id, runner_group_name, runner_group_allow_public, business, business_id, action, operation_type, @timestamp, created_at, _document_id, runner_group_restricted_to_workflows, runner_group_selected_workflow_refs, network_configuration_id, request_access_security_header
Reference: Managing access to self-hosted runners using groups

enterprise.self_hosted_runner_offline: The GitHub Actions runner application was stopped. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.
Fields: business_id, runner_id, runner_name, action, _document_id, operation_type, created_at, @timestamp
Reference: Monitoring and troubleshooting self-hosted runners

enterprise.self_hosted_runner_online: The GitHub Actions runner application was started. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.
Fields: business_id, runner_id, runner_name, action, _document_id, operation_type, created_at, @timestamp
Reference: Monitoring and troubleshooting self-hosted runners

enterprise.self_hosted_runner_updated: The GitHub Actions runner application was updated. This event is not included in the JSON/CSV export.
Fields: business_id, runner_id, runner_name, source_version, target_version, runner_group_id, runner_group_name, action, _document_id, operation_type, created_at, @timestamp
Reference: Self-hosted runners

enterprise_team

enterprise_team.add_member: A new member was added to the enterprise team or an IdP group linked to an enterprise team, or an IdP group was linked to an enterprise team.
Fields: actor, actor_id, user_agent, request_id, user_id, business_id, enterprise_team_id, enterprise_team, user, business, action, _document_id, @timestamp, created_at, operation_type, request_access_security_header

enterprise_team.copilot_assignment: A license for GitHub Copilot was assigned to an enterprise team.
Fields: actor, actor_id, user_agent, request_id, business_id, enterprise_team_id, enterprise_team, business, action, _document_id, @timestamp, created_at, operation_type, actor_is_bot, request_access_security_header

enterprise_team.copilot_unassignment: A license for GitHub Copilot was unassigned from an enterprise team.
Fields: actor, actor_id, user_agent, request_id, business_id, enterprise_team_id, enterprise_team, business, action, _document_id, @timestamp, created_at, operation_type, actor_is_bot

enterprise_team.create: A new enterprise team was created.
Fields: actor, actor_id, user_agent, request_id, business_id, enterprise_team_id, enterprise_team, business, action, _document_id, @timestamp, created_at, operation_type

enterprise_team.destroy: An enterprise team was deleted.
Fields: actor, actor_id, user_agent, request_id, business_id, enterprise_team_id, enterprise_team, business, action, _document_id, @timestamp, created_at, operation_type, actor_is_bot

enterprise_team.remove_member: A member was removed from the enterprise team or an IdP group linked to an enterprise team, or an IdP group was unlinked from an enterprise team.
Fields: actor, actor_id, user_agent, request_id, user_id, business_id, enterprise_team_id, enterprise_team, user, business, action, _document_id, @timestamp, created_at, operation_type, request_access_security_header

enterprise_team.rename: The name of an enterprise team was changed.
Fields: actor, actor_id, user_agent, request_id, name, business_id, enterprise_team_id, enterprise_team, business, action, _document_id, @timestamp, created_at, operation_type, actor_is_bot

environment

environment.add_protection_rule: A GitHub Actions deployment protection rule was created via the API.
Fields: user_agent, request_id, actor, actor_id, name, repo, repo_id, org, org_id, action, operation_type, @timestamp, created_at, _document_id, programmatic_access_type, request_access_security_header
Reference: Managing environments for deployment

environment.create_actions_secret: A secret was created for a GitHub Actions environment.
Fields: user_agent, request_id, actor, actor_id, oauth_application_id, key, visibility, repo, repo_id, org, org_id, action, operation_type, @timestamp, created_at, _document_id, business, business_id, public_repo, token_scopes, programmatic_access_type, request_access_security_header
Reference: Managing environments for deployment

environment.create_actions_variable: A variable was created for a GitHub Actions environment.
Fields: actor, actor_id, user_agent, request_id, key, visibility, environment_name, repo, repo_id, public_repo, org, org_id, action, _document_id, @timestamp, created_at, operation_type, business, business_id, actor_is_bot, request_access_security_header
Reference: Store information in variables

environment.delete: An environment was deleted.
Fields: user_agent, request_id, actor, actor_id, name, repo, repo_id, org, org_id, action, operation_type, @timestamp, created_at, _document_id, public_repo, token_scopes, programmatic_access_type, actor_is_bot, request_access_security_header
Reference: Managing environments for deployment

environment.remove_actions_secret: A secret was deleted for a GitHub Actions environment.
Fields: user_agent, request_id, actor, actor_id, oauth_application_id, key, repo, repo_id, org, org_id, action, operation_type, @timestamp, created_at, _document_id, business, business_id, public_repo, token_scopes, request_access_security_header
Reference: Managing environments for deployment

environment.remove_actions_variable: A variable was deleted for a GitHub Actions environment.
Fields: actor, actor_id, user_agent, request_id, key, environment_name, repo, repo_id, public_repo, action, _document_id, @timestamp, created_at, operation_type, request_access_security_header
Reference: Store information in variables

environment.remove_protection_rule: A GitHub Actions deployment protection rule was deleted via the API.
Fields: user_agent, request_id, actor, actor_id, name, repo, repo_id, org, org_id, action, operation_type, @timestamp, created_at, _document_id, public_repo, request_access_security_header
Reference: Managing environments for deployment

environment.update_actions_secret: A secret was updated for a GitHub Actions environment.
Fields: user_agent, request_id, actor, actor_id, oauth_application_id, key, visibility, repo, repo_id, org, org_id, action, operation_type, @timestamp, created_at, _document_id, public_repo, programmatic_access_type, request_access_security_header
Reference: Managing environments for deployment

environment.update_actions_variable: A variable was updated for a GitHub Actions environment.
Fields: actor, actor_id, user_agent, request_id, key, visibility, environment_name, repo, repo_id, public_repo, action, _document_id, @timestamp, created_at, operation_type, request_access_security_header
Reference: Store information in variables

environment.update_protection_rule: A GitHub Actions deployment protection rule was updated via the API.
Fields: user_agent, request_id, actor, actor_id, repo, repo_id, org, org_id, action, @timestamp, _document_id, new_value, approvers_was, approvers, programmatic_access_type, can_admins_bypass, prevent_self_review
Reference: Managing environments for deployment

external_group

external_group.add_member: A user was added to an external group.
Fields: user_agent, request_id, hashed_token, programmatic_access_type, actor, actor_id, token_id, token_scopes, external_group, external_group_id, user, user_id, action, _document_id, @timestamp, created_at, operation_type, business, business_id, scim_group_id, request_access_security_header

external_group.delete: An external group was deleted.
Fields: user_agent, request_id, actor, actor_id, oauth_application_id, action, operation_type, @timestamp, created_at, _document_id, business, business_id, token_scopes, scim_group_id

external_group.link: An external group was linked to a GitHub team.
Fields: user_agent, request_id, actor, actor_id, external_group_id, action, operation_type, @timestamp, created_at, _document_id, business, business_id, external_group, programmatic_access_type, scim_group_id, request_access_security_header

external_group.provision: An external group was created.
Fields: user_agent, request_id, actor, actor_id, oauth_application_id, action, operation_type, @timestamp, created_at, _document_id, business, business_id, token_scopes, programmatic_access_type, request_access_security_header

external_group.remove_member: A user was removed from an external group.
Fields: user_agent, request_id, hashed_token, programmatic_access_type, actor, actor_id, token_id, token_scopes, external_group, external_group_id, user, user_id, action, _document_id, @timestamp, created_at, operation_type, business, business_id, request_access_security_header

external_group.scim_api_failure: Failed external group SCIM API request.
Fields: user_agent, request_id, request_method, hashed_token, programmatic_access_type, actor, actor_id, token_id, token_scopes, query_string, api_request_body, route, status_code, url_path, scim_group_id, message, action, _document_id, @timestamp, created_at, operation_type, business, business_id, actor_is_bot, request_access_security_header
Reference: REST API endpoints for SCIM

external_group.scim_api_success: Successful external group SCIM API request. Excludes GET API requests.
Fields: user_agent, request_id, request_method, hashed_token, programmatic_access_type, actor, actor_id, token_id, token_scopes, query_string, api_request_body, route, status_code, url_path, scim_group_id, action, _document_id, @timestamp, created_at, operation_type, business, business_id, actor_is_bot, request_access_security_header
Reference: REST API endpoints for SCIM

external_group.unlink: An external group was unlinked to a GitHub team.
Fields: user_agent, request_id, actor, actor_id, external_group_id, action, operation_type, @timestamp, created_at, _document_id, business, business_id, external_group

external_group.update: An external group was updated.
Fields: user_agent, request_id, actor, actor_id, oauth_application_id, action, operation_type, @timestamp, created_at, _document_id, business, business_id, token_scopes, programmatic_access_type, scim_group_id, request_access_security_header

external_group.update_display_name: An external group's display name was updated.
Fields: user_agent, request_id, hashed_token, programmatic_access_type, actor, actor_id, token_id, token_scopes, external_group_id, external_group, action, _document_id, @timestamp, created_at, operation_type, business, business_id, scim_group_id, request_access_security_header

external_identity

external_identity.deprovision: An external identity was deprovisioned, suspending the linked GitHub user.
Fields: user_agent, request_id, actor, actor_id, oauth_application_id, action, user_id, operation_type, @timestamp, created_at, _document_id, token_scopes, programmatic_access_type, request_access_security_header

external_identity.provision: An external identity was created and linked to a GitHub user.
Fields: user_agent, request_id, action, user_id, operation_type, @timestamp, created_at, _document_id, programmatic_access_type, scim_user_id, request_access_security_header

external_identity.scim_api_failure: Failed external identity SCIM API request.
Fields: user_agent, request_id, request_method, hashed_token, programmatic_access_type, actor, actor_id, token_id, token_scopes, query_string, api_request_body, route, status_code, url_path, scim_user_id, message, action, _document_id, @timestamp, created_at, operation_type, business, business_id, actor_is_bot, request_access_security_header
Reference: REST API endpoints for SCIM

external_identity.scim_api_success: Successful external identity SCIM API request. Excludes GET API requests.
Fields: user_agent, request_id, request_method, hashed_token, programmatic_access_type, actor, actor_id, token_id, token_scopes, query_string, api_request_body, route, status_code, url_path, scim_user_id, action, _document_id, @timestamp, created_at, operation_type, business, business_id, actor_is_bot, request_access_security_header
Reference: REST API endpoints for SCIM

external_identity.update: An external identity was updated.
Fields: user_agent, request_id, action, user_id, operation_type, @timestamp, created_at, _document_id, token_scopes, programmatic_access_type, scim_user_id, request_access_security_header

gist

gist.create: A gist was created.
Fields: request_id, user_id, user, gist_id, @timestamp, created_at, operation_type, user_agent, actor, actor_id, visibility, action, _document_id, token_scopes, programmatic_access_type

gist.destroy: A gist was deleted.
Fields: user_id, gist_id, visibility, created_at, _document_id, user, request_id, operation_type, actor, actor_id, action, user_agent, @timestamp, programmatic_access_type

gist.visibility_change: The visibility of a gist was updated.
Fields: action, operation_type, @timestamp, user_agent, actor, user, gist_id, actor_id, request_id, visibility, user_id, created_at, _document_id, token_scopes, programmatic_access_type

git

Note: Git events have special access requirements and retention policies that differ from other audit log events. For GitHub Enterprise Cloud, access Git events via the REST API only with 7-day retention. For GitHub Enterprise Server, Git events must be enabled in audit log configuration and are not included in search results.

git.clone: A repository was cloned.
Fields: transport_protocol, request_id, repository, repository_id, repository_public, actor, actor_id, org, org_id, business, business_id, user, user_id, transport_protocol_name

git.fetch: Changes were fetched from a repository.
Fields: action, transport_protocol, request_id, repository, repository_id, repository_public, actor, actor_id, org, org_id, business, business_id, user, user_id, transport_protocol_name

git.push: Changes were pushed to a repository.
Fields: transport_protocol, request_id, repository, repository_id, repository_public, actor, actor_id, org, org_id, business, business_id, user, user_id, transport_protocol_name

git_signing_ssh_public_key

git_signing_ssh_public_key.create: An SSH key was added to a user account as a Git commit signing key.
Fields: actor, actor_id, user_agent, request_id, title, key, fingerprint, user_id, user, action, _document_id, @timestamp, created_at, operation_type, token_scopes, request_access_security_header
Reference: /authentication/managing-commit-signature-verification/telling-git-about-your-signing-key

git_signing_ssh_public_key.delete: An SSH key was removed from a user account as a Git commit signing key.
Fields: actor, actor_id, user_agent, request_id, title, key, fingerprint, user_id, explanation, user, action, _document_id, @timestamp, created_at, operation_type, token_scopes, request_access_security_header
Reference: /authentication/managing-commit-signature-verification/telling-git-about-your-signing-key

hook

hook.active_changed: A hook's active status was updated.
Fields: user_agent, request_id, actor, actor_id, created_at, name, events, active, active_was, hook_id, repo, repo_id, org, org_id, action, operation_type, @timestamp, _document_id, programmatic_access_type

hook.config_changed: A hook's configuration was changed.
Fields: actor_id, operation_type, @timestamp, _document_id, actor, name, org, user_agent, request_id, hook_id, repo, repo_id, created_at, oauth_application_id, action, events, org_id, token_scopes, programmatic_access_type

hook.create: A new hook was added.
Fields: oauth_application, _document_id, user_agent, actor, actor_id, oauth_application_id, repo_id, request_id, hook_id, events, repo, @timestamp, operation_type, name, action, created_at, org_id, org, token_scopes, programmatic_access_type
Reference: About webhooks

hook.destroy: A hook was deleted.
Fields: actor, events, repo, created_at, org, name, request_id, actor_id, repo_id, org_id, action, operation_type, oauth_application_id, user_agent, hook_id, @timestamp, _document_id, token_scopes, programmatic_access_type

hook.events_changed: A hook's configured events were changed.
Fields: actor, events, repo, operation_type, action, _document_id, actor_id, name, events_were, @timestamp, created_at, hook_id, repo_id, org_id, org, user_agent, request_id, oauth_application_id, token_scopes, programmatic_access_type

integration

integration.create: A GitHub App was created.
Fields: user, action, operation_type, @timestamp, actor, user_agent, actor_id, request_id, name, user_id, _document_id, integration, created_at, programmatic_access_type, request_access_security_header, application_client_id

integration.destroy: A GitHub App was deleted.
Fields: actor, user_id, actor_id, request_id, @timestamp, name, integration, user, _document_id, action, operation_type, created_at, user_agent

integration.manager_added: A member of an enterprise or organization was added as a GitHub App manager.
Fields: created_at, action, _document_id, name, org_id, manager, operation_type, actor, integration, org, @timestamp, actor_id, request_id, user_agent
Reference: /organizations/managing-programmatic-access-to-your-organization/adding-and-removing-github-app-managers-in-your-organization#giving-someone-the-ability-to-manage-all-github-apps-owned-by-the-organization

integration.manager_removed: A member of an enterprise or organization was removed from being a GitHub App manager.
Fields: user_agent, request_id, actor_id, org, operation_type, integration, org_id, _document_id, action, actor, name, created_at, manager, @timestamp
Reference: /organizations/managing-programmatic-access-to-your-organization/adding-and-removing-github-app-managers-in-your-organization#removing-a-github-app-managers-permissions-for-the-entire-organization

integration.remove_client_secret: A client secret for a GitHub App was removed.
Fields: user_agent, request_id, actor, actor_id, name, integration, user, user_id, action, operation_type, @timestamp, created_at, _document_id, request_access_security_header

integration.revoke_all_tokens: All user tokens for a GitHub App were requested to be revoked.
Fields: user_agent, request_id, actor, actor_id, name, integration, user, user_id, action, operation_type, @timestamp, created_at, _document_id, application_client_id

integration.revoke_tokens: Token(s) for a GitHub App were revoked.
Fields: user_agent, request_id, actor, actor_id, name, integration, user, user_id, action, operation_type, @timestamp, created_at, _document_id, application_client_id

integration.suspend: A GitHub App was suspended.
Fields: actor, actor_id, user_agent, request_id, name, integration, user, user_id, action, _document_id, @timestamp, created_at, operation_type, application_client_id
Reference: /apps/maintaining-github-apps/suspending-a-github-app-installation

integration.transfer: Ownership of a GitHub App was transferred to another user or organization.
Fields: @timestamp, user_id, name, transfer_to_id, user, requester, action, requester_id, actor_id, created_at, _document_id, user_agent, transfer_to, operation_type, request_id, actor, integration, transfer_from, transfer_from_id, transfer_from_type, transfer_to_type
Reference: /apps/maintaining-github-apps/transferring-ownership-of-a-github-app

integration.unsuspend: A GitHub App was unsuspended.
Fields: actor, actor_id, user_agent, request_id, name, integration, user, user_id, action, _document_id, @timestamp, created_at, operation_type, application_client_id
Reference: /apps/maintaining-github-apps/suspending-a-github-app-installation

integration_installation

integration_installation.create: A GitHub App was installed.
Fields: operation_type, @timestamp, name, request_id, repository_selection, user_id, action, user_agent, user, created_at, integration, _document_id, programmatic_access_type, application_client_id
Reference: /apps/using-github-apps/authorizing-github-apps

integration_installation.destroy: A GitHub App was uninstalled.
Fields: @timestamp, request_id, actor, created_at, _document_id, repository_selection, integration, user_id, user, action, operation_type, name, actor_id, user_agent, programmatic_access_type, application_client_id
Reference: /apps/using-github-apps/reviewing-and-modifying-installed-github-apps#blocking-access

integration_installation.repositories_added: Repositories were added to a GitHub App.
Fields: user_id, repository_selection, name, user, request_id, integration, operation_type, actor_id, action, repositories_added, created_at, _document_id, @timestamp, actor, user_agent, token_scopes, repositories_added_names, programmatic_access_type, actor_is_bot, application_client_id
Reference: /apps/using-github-apps/reviewing-and-modifying-installed-github-apps#modifying-repository-access

integration_installation.repositories_removed: Repositories were removed from a GitHub App.
Fields: user, operation_type, user_agent, actor, repository_selection, repositories_removed, integration, user_id, created_at, _document_id, request_id, @timestamp, name, action, actor_id, repositories_removed_names, programmatic_access_type, actor_is_bot, application_client_id
Reference: /apps/using-github-apps/reviewing-and-modifying-installed-github-apps#modifying-repository-access

integration_installation.suspend: A GitHub App was suspended.
Fields: user_agent, request_id, name, repository_selection, actor_id, integration, user, user_id, action, operation_type, @timestamp, created_at, _document_id, request_access_security_header, application_client_id
Reference: /apps/using-github-apps/reviewing-and-modifying-installed-github-apps#blocking-access

integration_installation.unsuspend: A GitHub App was unsuspended.
Fields: user_agent, request_id, name, repository_selection, actor_id, integration, user, user_id, action, operation_type, @timestamp, created_at, _document_id
Reference: /apps/using-github-apps/reviewing-and-modifying-installed-github-apps#blocking-access

integration_installation.version_updated: Permissions for a GitHub App were updated.
Fields: integration, user_id, user_agent, name, user, operation_type, actor_id, action, _document_id, request_id, created_at, repository_selection, @timestamp, actor, application_client_id
Reference: /apps/using-github-apps/approving-updated-permissions-for-a-github-app

ip_allow_list

ip_allow_list.disable: An IP allow list was disabled.
Fields: operation_type, actor, request_id, org, user_agent, _document_id, user_id, actor_id, created_at, org_id, action, @timestamp, user

ip_allow_list.disable_for_installed_apps: An IP allow list was disabled for installed GitHub Apps.
Fields: user_agent, request_id, actor, actor_id, created_at, user, user_id, business, business_id, action, operation_type, @timestamp, _document_id

ip_allow_list.disable_user_level_enforcement: IP allow list user level enforcement was disabled.
Fields: user_agent, request_id, actor, actor_id, user, user_id, business, business_id, action, _document_id, @timestamp, created_at, operation_type

ip_allow_list.enable: An IP allow list was enabled.
Fields: org_id, business, user_id, request_id, actor, user, business_id, _document_id, action, @timestamp, user_agent, actor_id, operation_type, org, created_at

ip_allow_list.enable_for_installed_apps: An IP allow list was enabled for installed GitHub Apps.
Fields: user_agent, request_id, actor, actor_id, created_at, user, user_id, business, business_id, action, operation_type, @timestamp, _document_id

ip_allow_list.enable_user_level_enforcement: IP allow list user level enforcement was enabled.
Fields: user_agent, request_id, actor, actor_id, user, user_id, business, business_id, action, _document_id, @timestamp, created_at, operation_type

ip_allow_list_entry

ip_allow_list_entry.create: An IP address was added to an IP allow list.
Fields: active, org, ip_allow_list_entry, @timestamp, _document_id, operation_type, created_at, user_agent, action, request_id, actor_id, business_id, org_id, business, actor, token_scopes, programmatic_access_type, request_access_security_header

ip_allow_list_entry.destroy: An IP address was deleted from an IP allow list.
Fields: _document_id, request_id, ip_allow_list_entry, org, operation_type, created_at, active, action, @timestamp, business, business_id, user_agent, org_id, actor, actor_id, token_scopes, programmatic_access_type, request_access_security_header

ip_allow_list_entry.update: An IP address or its description was changed.
Fields: request_id, _document_id, actor, org, action, operation_type, created_at, user_agent, actor_id, ip_allow_list_entry, active, org_id, @timestamp

marketplace_agreement_signature

marketplace_agreement_signature.create: The GitHub Marketplace Developer Agreement was signed.
Fields: request_id, actor, actor_id, @timestamp, _document_id, user_agent, operation_type, created_at, action, user, user_id, request_access_security_header

marketplace_listing

marketplace_listing.approve: A listing was approved for inclusion in GitHub Marketplace.
Fields: secondary_category, actor, primary_category, user, @timestamp, _document_id, user_id, user_agent, operation_type, created_at, request_id, actor_id, marketplace_listing, integration, action

marketplace_listing.change_category: A category for a listing for an app in GitHub Marketplace was changed.
Fields: primary_category, user_agent, request_id, actor, marketplace_listing, @timestamp, integration, org_id, action, org, secondary_category, operation_type, created_at, actor_id, _document_id

marketplace_listing.create: A listing for an app in GitHub Marketplace was created.
Fields: primary_category, _document_id, user, created_at, user_agent, oauth_application, action, request_id, marketplace_listing, user_id, secondary_category, oauth_application_id, actor, actor_id, operation_type, @timestamp

marketplace_listing.delist: A listing was removed from GitHub Marketplace.
Fields: org, actor, actor_id, user_agent, request_id, org_id, created_at, secondary_category, operation_type, marketplace_listing, action, @timestamp, _document_id, primary_category, integration

marketplace_listing.redraft: A listing was sent back to draft state.
Fields: _document_id, secondary_category, oauth_application_id, @timestamp, action, user_agent, user_id, operation_type, oauth_application, actor, created_at, marketplace_listing, request_id, actor_id, primary_category, user

marketplace_listing.reject: A listing was not accepted for inclusion in GitHub Marketplace.
Fields: user_agent, request_id, actor, actor_id, primary_category, secondary_category, marketplace_listing, oauth_application, oauth_application_id, user, user_id, action, operation_type, @timestamp, created_at, _document_id

migration

migration.create: A migration file was created for transferring data from a source location (such as a GitHub.com organization or a GitHub Enterprise Server instance) to a target GitHub Enterprise Server instance.
Fields: repo, org_id, _document_id, org, repo_id, action, actor, created_at, operation_type, @timestamp, user_agent, request_id, actor_id, token_scopes, programmatic_access_type, actor_is_bot, request_access_security_header

oauth_access

oauth_access.create: An OAuth access token was generated.
Fields: _document_id, operation_type, user_agent, actor, @timestamp, user, user_id, created_at, action, actor_id, request_id, token_scopes, programmatic_access_type, request_access_security_header, oauth_application_name
Reference: /apps/oauth-apps/building-oauth-apps/authorizing-oauth-apps, Managing your personal access tokens

oauth_access.destroy: An OAuth access token was deleted.
Fields: @timestamp, user_agent, action, operation_type, _document_id, actor, created_at, user, user_id, request_id, explanation, hashed_token, actor_id, token_scopes, oauth_application_name
Reference: /apps/oauth-apps/building-oauth-apps/authorizing-oauth-apps

oauth_access.regenerate: An OAuth access token was regenerated.
Fields: user, user_id, _document_id, created_at, @timestamp, operation_type, action, user_agent, request_id, actor, actor_id, token_scopes, programmatic_access_type, oauth_application_name

oauth_access.update: An OAuth access token was updated.
Fields: request_id, actor_id, actor, operation_type, _document_id, user_id, created_at, action, @timestamp, user, user_agent, request_access_security_header

oauth_application

oauth_application.create: An OAuth application was created.
Fields: org, created_at, oauth_application_id, operation_type, user_agent, actor_id, org_id, action, actor, oauth_application, @timestamp, _document_id, request_id, request_access_security_header
Reference: /apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app

oauth_application.destroy: An OAuth application was deleted.
Fields: created_at, oauth_application_id, user_id, operation_type, @timestamp, user_agent, oauth_application, _document_id, actor, actor_id, request_id, action, user, request_access_security_header
Reference: /apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app

oauth_application.generate_client_secret: An OAuth application's secret key was generated.
Fields: user_agent, request_id, actor, actor_id, oauth_application, oauth_application_id, user, user_id, action, operation_type, @timestamp, created_at, _document_id, request_access_security_header
Reference: /apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app

oauth_application.remove_client_secret: An OAuth application's secret key was deleted.
Fields: user_agent, request_id, actor, actor_id, oauth_application, oauth_application_id, user, user_id, action, operation_type, @timestamp, created_at, _document_id, request_access_security_header
Reference: /apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app

oauth_application.reset_secret: The secret key for an OAuth application was reset.
Fields: user, user_id, action, oauth_application, operation_type, request_id, actor_id, _document_id, created_at, actor, oauth_application_id, @timestamp, user_agent
Reference: /apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app

oauth_application.revoke_all_tokens: All user tokens for an OAuth application were requested to be revoked.
Fields: user_agent, request_id, actor, actor_id, oauth_application, oauth_application_id, user, user_id, action, operation_type, @timestamp, created_at, _document_id, request_access_security_header
Reference: /apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app

oauth_application.revoke_tokens: Token(s) for an OAuth application were revoked.
Fields: oauth_application_id, oauth_application, actor_id, user_agent, @timestamp, request_id, user_id, action, _document_id, actor, user, created_at, operation_type, request_access_security_header
Reference: /apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app

oauth_application.transfer: An OAuth application was transferred from one account to another.
Fields: actor, operation_type, created_at, user_agent, oauth_application, actor_id, oauth_application_id, @timestamp, user_id, _document_id, request_id, user, action
Reference: /apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app

oauth_application.unsuspend: An OAuth application was unsuspended for a user or organization account.
Fields: operation_type, org_id, action, oauth_application_id, oauth_application, org, created_at, @timestamp, _document_id
Reference: /apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app

oauth_authorization

oauth_authorization.create: An authorization for an OAuth application was created.
Fields: operation_type, user_agent, user_id, actor, org_id, _document_id, request_id, action, @timestamp, created_at, actor_id, user, business, business_id, token_scopes, programmatic_access_type, actor_is_bot, request_access_security_header, oauth_application_name
Reference: /apps/oauth-apps/using-oauth-apps/authorizing-oauth-apps

oauth_authorization.destroy: An authorization for an OAuth application was deleted.
Fields: user_agent, _document_id, request_id, operation_type, @timestamp, actor, created_at, explanation, user, user_id, org_id, action, actor_id, token_scopes, actor_is_bot, oauth_application_name
Reference: Reviewing and revoking authorization of GitHub Apps

oauth_authorization.update: An authorization for an OAuth application was updated.
Fields: org_id, request_id, user_id, actor, actor_id, user_agent, @timestamp, operation_type, action, user, created_at, _document_id, actor_is_bot, request_access_security_header, oauth_application_name
Reference: /apps/oauth-apps/using-oauth-apps/authorizing-oauth-apps

org

org.accept_business_invitation: An invitation sent to an organization to join an enterprise was accepted.
Fields: user_agent, request_id, actor, actor_id, org, org_id, business, business_id, action, _document_id, @timestamp, created_at, operation_type
Reference: Adding organizations to your enterprise

org.add_billing_manager: A billing manager was added to an organization.
Fields: operation_type, _document_id, user_agent, org, user_id, action, created_at, org_id, user, actor, actor_id, @timestamp, request_id, request_access_security_header
Reference: /organizations/managing-peoples-access-to-your-organization-with-roles/adding-a-billing-manager-to-your-organization

org.add_member: A user joined an organization.
Fields: permission, _document_id, org, operation_type, request_id, actor, user, @timestamp, created_at, user_agent, org_id, user_id, actor_id, action, programmatic_access_type, actor_is_bot

org.add_outside_collaborator: An outside collaborator was added to a repository.
Fields: actor, actor_id, user_agent, request_id, inviter, org, org_id, repo, repo_id, public_repo, permission, invitee, action, _document_id, @timestamp, created_at, operation_type, request_access_security_header

org.advanced_security_disabled_for_new_repos: GitHub Advanced Security was disabled for new repositories in an organization.
Fields: user_agent, request_id, actor, actor_id, org, org_id, action, operation_type, @timestamp, created_at, _document_id, business, business_id, token_scopes

org.advanced_security_disabled_on_all_repos: GitHub Advanced Security was disabled for all repositories in an organization.
Fields: user_agent, request_id, actor, actor_id, user, user_id, org, org_id, business, business_id, action, operation_type, @timestamp, created_at, _document_id, token_scopes

org.advanced_security_enabled_for_new_repos: GitHub Advanced Security was enabled for new repositories in an organization.
Fields: user_agent, request_id, actor, actor_id, org, org_id, action, operation_type, @timestamp, created_at, _document_id, business, business_id, token_scopes

org.advanced_security_enabled_on_all_repos: GitHub Advanced Security was enabled for all repositories in an organization.
Fields: user_agent, request_id, actor, actor_id, user, user_id, org, org_id, business, business_id, action, operation_type, @timestamp, created_at, _document_id, token_scopes

org.advanced_security_policy_selected_member_disabled: An enterprise owner prevented GitHub Advanced Security features from being enabled for repositories owned by the organization.
Fields: user_agent, request_id, actor, actor_id, org, org_id, action, operation_type, @timestamp, created_at, _document_id, business, business_id
Reference: Enforcing policies for code security and analysis for your enterprise

org.advanced_security_policy_selected_member_enabled: An enterprise owner allowed GitHub Advanced Security features to be enabled for repositories owned by the organization.
Fields: user_agent, request_id, actor, actor_id, org, org_id, action, operation_type, @timestamp, created_at, _document_id, business, business_id, actor_is_bot
Reference: Enforcing policies for code security and analysis for your enterprise

org.async_delete: A user initiated a background job to delete an organization.
Fields: _document_id, actor, actor_id, action, operation_type, @timestamp, request_id, org, org_id, user_agent, created_at

org.block_user: An organization owner blocked a user from accessing the organization's repositories.
Fields: actor, user_agent, org_id, created_at, _document_id, blocked_user, action, operation_type, actor_id, org, @timestamp, request_id
Reference: /communities/maintaining-your-safety-on-github/blocking-a-user-from-your-organization

org.cancel_business_invitation: An invitation for an organization to join an enterprise was revoked
Fields: user_agent, request_id, actor, actor_id, org, org_id, business, business_id, action, operation_type, @timestamp, created_at, _document_id, initiated_from
Reference: Adding organizations to your enterprise

org.cancel_invitation: An invitation sent to a user to join an organization was revoked.
Fields: actor_id, org_id, request_id, email, @timestamp, actor, action, operation_type, user_agent, org, invitation_id, _document_id, created_at, invitee_email, token_scopes, programmatic_access_type

org.code_scanning_autofix_disabled: Autofix for code scanning alerts was disabled for an organization.
Fields: actor, actor_id, user_agent, request_id, user, user_id, org, org_id, action, _document_id, @timestamp, created_at, operation_type, business, business_id, actor_is_bot, request_access_security_header

org.code_scanning_autofix_enabled: Autofix for code scanning alerts was enabled for an organization.
Fields: actor, actor_id, user_agent, request_id, user, user_id, org, org_id, action, _document_id, @timestamp, created_at, operation_type, actor_is_bot, request_access_security_header

org.codeql_disabled: Code scanning using the default setup was disabled for an organization.
Fields: actor, actor_id, user_agent, request_id, user, user_id, org, org_id, action, _document_id, @timestamp, created_at, operation_type, business, business_id
Reference: /code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning-at-scale

org.codeql_enabled: Code scanning using the default setup was enabled for an organization.
Fields: actor, actor_id, user_agent, request_id, user, user_id, org, org_id, action, _document_id, @timestamp, created_at, operation_type, business, business_id
Reference: /code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning-at-scale

org.config.disable_collaborators_only: The interaction limit for collaborators only for an organization was disabled.
Fields: request_id, org, action, operation_type, _document_id, actor, actor_id, @timestamp, user_agent, org_id, created_at
Reference: /communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization

org.config.disable_contributors_only: The interaction limit for prior contributors only for an organization was disabled.
Fields: operation_type, @timestamp, created_at, user_agent, action, actor_id, org, _document_id, actor, org_id, request_id
Reference: /communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization

org.config.disable_sockpuppet_disallowed: The interaction limit for existing users only for an organization was disabled.
Fields: _document_id, operation_type, actor_id, org_id, action, created_at, actor, org, @timestamp, user_agent, request_id
Reference: /communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization

org.config.enable_collaborators_only: The interaction limit for collaborators only for an organization was enabled.
Fields: @timestamp, created_at, _document_id, actor_id, actor, org, org_id, request_id, operation_type, action, user_agent
Reference: /communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization

org.config.enable_contributors_only: The interaction limit for prior contributors only for an organization was enabled.
Fields: actor, actor_id, org_id, action, operation_type, @timestamp, user_agent, request_id, org, created_at, _document_id
Reference: /communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization

org.config.enable_sockpuppet_disallowed: The interaction limit for existing users only for an organization was enabled.
Fields: actor_id, request_id, action, created_at, user_agent, actor, _document_id, org_id, operation_type, org, @timestamp
Reference: /communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization

org.confirm_business_invitation: An invitation for an organization to join an enterprise was confirmed.
Fields: user_agent, request_id, actor, actor_id, org, org_id, business, business_id, action, _document_id, @timestamp, created_at, operation_type
Reference: Adding organizations to your enterprise

org.create: An organization was created.
Fields: request_id, org, actor_id, actor, action, @timestamp, _document_id, user_agent, operation_type, org_id, created_at, request_access_security_header
Reference: /organizations/collaborating-with-groups-in-organizations/creating-a-new-organization-from-scratch

org.delete: An organization was deleted by a user or staff.
Fields: user_agent, @timestamp, _document_id, created_at, actor, org_id, org, action, actor_id, operation_type, request_id, request_access_security_header

org.disable_member_team_creation_permission: Team creation was limited to owners.
Fields: actor, @timestamp, _document_id, user, user_id, action, created_at, actor_id, user_agent, org, org_id, operation_type, request_id, request_access_security_header
Reference: /organizations/managing-organization-settings/setting-team-creation-permissions-in-your-organization

org.disable_reader_discussion_creation_permission: An organization owner limited discussion creation to users with at least triage permission in an organization.
Fields: user_agent, request_id, actor, actor_id, org, org_id, user, user_id, action, operation_type, @timestamp, created_at, _document_id
Reference: /organizations/managing-organization-settings/managing-discussion-creation-for-repositories-in-your-organization

org.disable_saml: SAML single sign-on was disabled for an organization.
Fields: org_id, sso_url, issuer, action, @timestamp, _document_id, created_at, org, operation_type

org.disable_two_factor_requirement: A two-factor authentication requirement was disabled for the organization.
Fields: created_at, org, org_id, action, actor, actor_id, operation_type, request_id, @timestamp, _document_id, user_agent

org.display_commenter_full_name_disabled: An organization owner disabled the display of a commenter's full name in an organization. Members cannot see a comment author's full name.
Fields: actor, user_id, user, action, operation_type, @timestamp, _document_id, created_at, user_agent, org, actor_id, org_id, request_id

org.display_commenter_full_name_enabled: An organization owner enabled the display of a commenter's full name in an organization. Members can see a comment author's full name.
Fields: org, user_agent, request_id, actor, _document_id, user_id, operation_type, @timestamp, created_at, user, action, actor_id, org_id

org.enable_member_team_creation_permission: Team creation by members was allowed.
Fields: org_id, user, actor, operation_type, _document_id, user_id, created_at, user_agent, actor_id, org, request_id, action, @timestamp
Reference: /organizations/managing-organization-settings/setting-team-creation-permissions-in-your-organization

org.enable_reader_discussion_creation_permission: An organization owner allowed users with read access to create discussions in an organization
Fields: user_agent, request_id, actor, actor_id, created_at, org, org_id, user, user_id, action, operation_type, @timestamp, _document_id
Reference: /organizations/managing-organization-settings/managing-discussion-creation-for-repositories-in-your-organization

org.enable_saml: SAML single sign-on was enabled for the organization.
Fields: actor_id, action, operation_type, actor, sso_url, org, created_at, @timestamp, issuer, org_id, _document_id, user_agent, request_id
Reference: Enabling and testing SAML single sign-on for your organization

org.enable_two_factor_requirement: Two-factor authentication is now required for the organization.
Fields: actor_id, action, _document_id, org, @timestamp, actor, user_agent, org_id, operation_type, created_at, request_id
Reference: /organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization

org.integration_manager_added: An organization owner granted a member access to manage all GitHub Apps owned by an organization.
Fields: user_agent, org_id, manager, @timestamp, request_id, actor, operation_type, _document_id, actor_id, org, action, created_at

org.integration_manager_removed: An organization owner removed access to manage all GitHub Apps owned by an organization from an organization member.
Fields: org_id, @timestamp, org, user_agent, request_id, action, actor, actor_id, manager, operation_type, created_at, _document_id

org.invite_member: A new user was invited to join an organization.
Fields: org, user_id, invitation_id, org_id, user, action, operation_type, _document_id, actor, @timestamp, created_at, user_agent, actor_id, request_id, invitee_email, token_scopes, programmatic_access_type
Reference: /organizations/managing-membership-in-your-organization/inviting-users-to-join-your-organization

org.invite_to_business: An organization was invited to join an enterprise.
Fields: user_agent, request_id, actor, actor_id, org, org_id, business, business_id, action, _document_id, @timestamp, created_at, operation_type

org.members_can_update_protected_branches.disable: The ability for enterprise members to update protected branches was disabled. Only enterprise owners can update protected branches.
Fields: user_agent, request_id, actor, actor_id, org, org_id, user, user_id, action, operation_type, @timestamp, created_at, _document_id

org.members_can_update_protected_branches.enable: The ability for enterprise members to update protected branches was enabled. Members of an organization can update protected branches.
Fields: org, org_id, user_agent, actor_id, user_id, operation_type, @timestamp, created_at, request_id, _document_id, actor, user, action

org.recreate: An organization was restored.
Fields: created_at, org, action, operation_type, _document_id, user_agent, actor_id, @timestamp, request_id, actor, org_id

org.register_self_hosted_runner: A new self-hosted runner was registered.
Fields: actor, operation_type, @timestamp, _document_id, request_id, org, org_id, action, created_at, user_agent, actor_id, actor_is_bot, request_access_security_header
Reference: Adding self-hosted runners

org.remove_billing_manager: A billing manager was removed from an organization, either manually or due to a two-factor authentication requirement.
Fields: user_id, user_agent, org_id, user, action, _document_id, operation_type, @timestamp, actor, org, actor_id, request_id, created_at
Reference: /organizations/managing-peoples-access-to-your-organization-with-roles/removing-a-billing-manager-from-your-organization, /organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization

org.remove_member: A member was removed from an organization, either manually or due to a two-factor authentication requirement.
Fields: _document_id, request_id, actor_id, user_agent, actor, action, user_id, @timestamp, created_at, user, operation_type, org_id, org, token_scopes, programmatic_access_type

org.remove_outside_collaborator: An outside collaborator was removed from an organization, either manually or due to a two-factor authentication requirement.
Fields: org, user, org_id, created_at, request_id, @timestamp, action, operation_type, user_agent, _document_id, actor, actor_id, user_id, programmatic_access_type, request_access_security_header

org.remove_self_hosted_runner: A self-hosted runner was removed.
Fields: operation_type, org_id, @timestamp, _document_id, user_agent, request_id, actor_id, org, created_at, actor, action, programmatic_access_type
Reference: Removing self-hosted runners

org.rename: An organization was renamed.
Fields: user_agent, _document_id, @timestamp, org, action, actor, old_login, org_id, request_id, actor_id, operation_type, created_at, request_access_security_header

org.restore_member: An organization member was restored.
Fields: user, actor, user_id, _document_id, action, created_at, org_id, operation_type, request_id, @timestamp, user_agent, org, actor_id, request_access_security_header
Reference: /organizations/managing-membership-in-your-organization/reinstating-a-former-member-of-your-organization

org.runner_group_created: A self-hosted runner group was created.
Fields: user_agent, request_id, actor, actor_id, runner_group_id, org, org_id, action, operation_type, @timestamp, created_at, _document_id, runner_group_restricted_to_workflows, runner_group_selected_workflow_refs, programmatic_access_type, network_configuration_id
Reference: Managing access to self-hosted runners using groups

org.runner_group_removed: A self-hosted runner group was removed.
Fields: user_agent, request_id, actor, actor_id, runner_group_id, org, org_id, action, operation_type, @timestamp, created_at, _document_id, business, business_id, programmatic_access_type
Reference: Managing access to self-hosted runners using groups

org.runner_group_runner_removed: The REST API was used to remove a self-hosted runner from a group.
Fields: user_agent, request_id, actor, actor_id, oauth_application_id, runner_group_id, runner_id, org, org_id, action, operation_type, @timestamp, created_at, _document_id, token_scopes, programmatic_access_type, request_access_security_header
Reference: /rest/actions#remove-a-self-hosted-runner-from-a-group-for-an-organization

org.runner_group_runners_added: A self-hosted runner was added to a group.
Fields: user_agent, request_id, actor, actor_id, runner_group_id, org, org_id, action, operation_type, @timestamp, created_at, _document_id, business, business_id, token_scopes, programmatic_access_type, request_access_security_header
Reference: Managing access to self-hosted runners using groups

org.runner_group_runners_updated: A runner group's list of members was updated.
Fields: user_agent, request_id, actor, actor_id, oauth_application_id, runner_group_id, org, org_id, action, operation_type, @timestamp, created_at, _document_id
Reference: /rest/actions#set-self-hosted-runners-in-a-group-for-an-organization

org.runner_group_updated: The configuration of a self-hosted runner group was changed.
Fields: user_agent, request_id, actor, actor_id, runner_group_id, runner_group_name, runner_group_allow_public, org, org_id, action, operation_type, @timestamp, created_at, _document_id, runner_group_restricted_to_workflows, runner_group_selected_workflow_refs, programmatic_access_type, network_configuration_id, request_access_security_header
Reference: Managing access to self-hosted runners using groups

org.secret_scanning_custom_pattern_push_protection_disabled: Push protection for a custom pattern for secret scanning was disabled for an organization.
Fields: actor, actor_id, user_agent, request_id, user, user_id, org, org_id, action, _document_id, @timestamp, created_at, operation_type, business, business_id
Reference: Defining custom patterns for secret scanning

org.secret_scanning_custom_pattern_push_protection_enabled: Push protection for a custom pattern for secret scanning was enabled for an organization.
Fields: actor, actor_id, user_agent, request_id, user, user_id, org, org_id, action, _document_id, @timestamp, created_at, operation_type, business, business_id, request_access_security_header
Reference: Defining custom patterns for secret scanning

org.secret_scanning_push_protection_custom_message_disabled: The custom message triggered by an attempted push to a push-protected repository was disabled for an organization.
Fields: user_agent, request_id, actor, actor_id, user, user_id, org, org_id, action, _document_id, @timestamp, created_at, operation_type, business, business_id, programmatic_access_type
Reference: About push protection

org.secret_scanning_push_protection_custom_message_enabled: The custom message triggered by an attempted push to a push-protected repository was enabled for an organization.
Fields: user_agent, request_id, actor, actor_id, user, user_id, org, org_id, action, _document_id, @timestamp, created_at, operation_type, business, business_id, programmatic_access_type
Reference: About push protection

org.secret_scanning_push_protection_custom_message_updated: The custom message triggered by an attempted push to a push-protected repository was updated for an organization.
Fields: user_agent, request_id, actor, actor_id, user, user_id, org, org_id, action, _document_id, @timestamp, created_at, operation_type, business, business_id, programmatic_access_type
Reference: About push protection

org.secret_scanning_push_protection_disable: Push protection for secret scanning was disabled.
Fields: user_agent, request_id, actor, actor_id, user, user_id, org, org_id, action, _document_id, @timestamp, created_at, operation_type, business, business_id
Reference: About push protection

org.secret_scanning_push_protection_enable: Push protection for secret scanning was enabled.
Fields: user_agent, request_id, actor, actor_id, user, user_id, org, org_id, action, _document_id, @timestamp, created_at, operation_type, business, business_id
Reference: About push protection

org.secret_scanning_push_protection_new_repos_disable: Push protection for secret scanning was disabled for all new repositories in the organization.
Fields: user_agent, request_id, actor, actor_id, user, user_id, org, org_id, action, _document_id, @timestamp, created_at, operation_type, business, business_id, token_scopes
Reference: About push protection

org.secret_scanning_push_protection_new_repos_enable: Push protection for secret scanning was enabled for all new repositories in the organization.
Fields: user_agent, request_id, actor, actor_id, user, user_id, org, org_id, action, _document_id, @timestamp, created_at, operation_type, business, business_id, token_scopes
Reference: About push protection

org.self_hosted_runner_offline: The runner application was stopped. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.
Fields: org_id, org, runner_id, runner_name, action, _document_id, operation_type, created_at, @timestamp
Reference: Monitoring and troubleshooting self-hosted runners

org.self_hosted_runner_online: The runner application was started. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.
Fields: org_id, org, runner_id, runner_name, action, _document_id, operation_type, created_at, @timestamp
Reference: Monitoring and troubleshooting self-hosted runners

org.self_hosted_runner_updated: The runner application was updated. This event is not included in the JSON/CSV export.
Fields: org_id, runner_id, runner_name, source_version, target_version, runner_group_id, runner_group_name
Reference: Self-hosted runners

org.set_actions_fork_pr_approvals_policy: The setting for requiring approvals for workflows from public forks was changed for an organization.
Fields: user_agent, request_id, actor, actor_id, policy, org, org_id, action, _document_id, @timestamp, created_at, operation_type, business, business_id
Reference: /organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#requiring-approval-for-workflows-from-public-forks

org.set_actions_private_fork_pr_approvals_policy: The policy for requiring approval for fork pull request workflows from collaborators without write access to private repos was changed for an organization.
Fields: actor, actor_id, user_agent, request_id, policy, org, org_id, action, _document_id, @timestamp, created_at, operation_type
Reference: /organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#enabling-workflows-for-private-repository-forks

org.set_actions_retention_limit: The retention period for GitHub Actions artifacts and logs in an organization was changed.
Fields: user_agent, request_id, actor, actor_id, limit, org, org_id, action, operation_type, @timestamp, created_at, _document_id
Reference: /organizations/managing-organization-settings/configuring-the-retention-period-for-github-actions-artifacts-and-logs-in-your-organization

org.set_default_workflow_permissions: The default permissions granted to the GITHUB_TOKEN when running workflows were changed for an organization.
Fields: actor, actor_id, user_agent, request_id, org, org_id, action, _document_id, @timestamp, created_at, operation_type, request_access_security_header
Reference: /organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#setting-the-permissions-of-the-github_token-for-your-organization

org.set_fork_pr_workflows_policy: The policy for workflows on private repository forks was changed.
Fields: user_agent, request_id, actor, actor_id, policy, org, org_id, action, operation_type, @timestamp, created_at, _document_id
Reference: /organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#enabling-workflows-for-private-repository-forks

org.set_workflow_permission_can_approve_pr: The policy for allowing GitHub Actions to create and approve pull requests was changed for an organization.
Fields: actor, actor_id, user_agent, request_id, org, org_id, action, _document_id, @timestamp, created_at, operation_type, request_access_security_header
Reference: /organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#preventing-github-actions-from-creating-or-approving-pull-requests

org.sso_response: A SAML single sign-on (SSO) response was generated when a member attempted to authenticate with your organization. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.
Fields: action, user_agent, actor, actor_id, org_id, @timestamp, org, issuer, business, operation_type, created_at, request_id, business_id, _document_id, actor_is_bot, request_access_security_header

org.transform: A user account was converted into an organization.
Fields: actor, _document_id, request_id, operation_type, actor_id, org_id, org, action, @timestamp, created_at, user_agent, owner, request_access_security_header
Reference: /account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-your-personal-account/converting-a-user-into-an-organization

org.unblock_user: A user was unblocked from an organization.
Fields: oauth_application_id, _document_id, blocked_user, action, operation_type, @timestamp, request_id, created_at, actor, actor_id, org, org_id, user_agent
Reference: /communities/maintaining-your-safety-on-github/unblocking-a-user-from-your-organization

org.update_actions_settings: An organization owner or site administrator updated GitHub Actions policy settings for an organization.
Fields: user_agent, request_id, actor, actor_id, org, org_id, action, operation_type, @timestamp, created_at, _document_id, new_policy, updated_allowed_types, old_policy, updated_access_policy, programmatic_access_type, request_access_security_header
Reference: /organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization

org.update_default_repository_permission: The default repository permission level for organization members was changed.
Fields: actor, action, operation_type, created_at, org, org_id, request_id, @timestamp, user_agent, permission, actor_id, old_permission, _document_id, programmatic_access_type

org.update_member: A person's role was changed from owner to member or member to owner.
Fields: @timestamp, org_id, created_at, _document_id, user, user_id, action, request_id, actor_id, old_permission, permission, actor, user_agent, operation_type, org

org.update_member_repository_creation_permission: The create repository permission for organization members was changed.
Fields: actor, action, @timestamp, request_id, actor_id, permission, created_at, user_agent, org, org_id, _document_id, visibility, operation_type

org.update_member_repository_invitation_permission: An organization owner changed the policy setting for organization members inviting outside collaborators to repositories.
Fields: actor_id, permission, action, org_id, actor, created_at, _document_id, business_id, operation_type, org, user_agent, request_id, business, @timestamp
Reference: Setting permissions for adding outside collaborators

org.update_saml_provider_settings: An organization's SAML provider settings were updated.
Fields: user_agent, sso_url, actor_id, operation_type, @timestamp, issuer, org, _document_id, actor, org_id, created_at, request_id, action

org.update_terms_of_service: An organization changed between the Standard Terms of Service and the GitHub Customer Agreement.
Fields: request_id, org_id, actor, actor_id, user_agent, operation_type, _document_id, org, action, @timestamp, created_at, request_access_security_header
Reference: /organizations/managing-organization-settings/upgrading-to-the-github-customer-agreement

org_secret_scanning_automatic_validity_checks

org_secret_scanning_automatic_validity_checks.disabled: Automatic partner validation checks have been disabled at the organization level
Fields: actor, actor_id, user_agent, request_id, user, user_id, org, org_id, action, _document_id, @timestamp, created_at, operation_type, business, business_id, actor_is_bot
Reference: /organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#allowing-validity-checks-for-partner-patterns-in-an-organization

org_secret_scanning_automatic_validity_checks.enabled: Automatic partner validation checks have been enabled at the organization level
Fields: actor, actor_id, user_agent, request_id, user, user_id, org, org_id, action, _document_id, @timestamp, created_at, operation_type, business, business_id, actor_is_bot
Reference: /organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#allowing-validity-checks-for-partner-patterns-in-an-organization

org_secret_scanning_custom_pattern

org_secret_scanning_custom_pattern.create: A custom pattern was created for secret scanning in an organization.
Fields: user_agent, request_id, actor, actor_id, user, user_id, org, org_id, action, _document_id, @timestamp, created_at, operation_type, request_access_security_header
Reference: Defining custom patterns for secret scanning

org_secret_scanning_custom_pattern.delete: A custom pattern was removed from secret scanning in an organization.
Fields: user_agent, request_id, actor, actor_id, user, user_id, org, org_id, action, _document_id, @timestamp, created_at, operation_type, business, business_id, request_access_security_header
Reference: Defining custom patterns for secret scanning

org_secret_scanning_custom_pattern.publish: A custom pattern was published for secret scanning in an organization.
Fields: actor, actor_id, user_agent, request_id, user, user_id, org, org_id, action, _document_id, @timestamp, created_at, operation_type, business, business_id
Reference: Defining custom patterns for secret scanning

org_secret_scanning_custom_pattern.update: Changes to a custom pattern were saved and a dry run was executed for secret scanning in an organization.
Fields: user_agent, request_id, actor, actor_id, user, user_id, org, org_id, action, _document_id, @timestamp, created_at, operation_type, business, business_id
Reference: Defining custom patterns for secret scanning

org_secret_scanning_non_provider_patterns

org_secret_scanning_non_provider_patterns.disabled: Secret scanning for non-provider patterns was disabled at the organization level.
Fields: actor, actor_id, user_agent, request_id, user, user_id, org, org_id, action, _document_id, @timestamp, created_at, operation_type, business, business_id, actor_is_bot
Reference: Supported secret scanning patterns

org_secret_scanning_non_provider_patterns.enabled: Secret scanning for non-provider patterns was enabled at the organization level.
Fields: actor, actor_id, user_agent, request_id, user, user_id, org, org_id, action, _document_id, @timestamp, created_at, operation_type, business, business_id, actor_is_bot
Reference: Supported secret scanning patterns

org_secret_scanning_push_protection_bypass_list

org_secret_scanning_push_protection_bypass_list.add: A role or team was added to the push protection bypass list at the organization level.
Fields: actor, actor_id, user_agent, request_id, org, org_id, action, _document_id, @timestamp, created_at, operation_type, business, business_id, actor_is_bot
Reference: About push protection

org_secret_scanning_push_protection_bypass_list.disable: Push protection settings for "Users who can bypass push protection for secret scanning" changed from "Specific roles or teams" to "Anyone with write access" at the organization level.
Fields: actor, actor_id, user_agent, request_id, user, user_id, org, org_id, action, _document_id, @timestamp, created_at, operation_type, business, business_id, actor_is_bot
Reference: About push protection

org_secret_scanning_push_protection_bypass_list.enable: Push protection settings for "Users who can bypass push protection for secret scanning" changed from "Anyone with write access" to "Specific roles or teams" at the organization level.
Fields: actor, actor_id, user_agent, request_id, user, user_id, org, org_id, action, _document_id, @timestamp, created_at, operation_type, business, business_id, actor_is_bot
Reference: About push protection

org_secret_scanning_push_protection_bypass_list.remove: A role or team was removed from the push protection bypass list at the organization level.
Fields: actor, actor_id, user_agent, request_id, org, org_id, action, _document_id, @timestamp, created_at, operation_type, business, business_id, actor_is_bot
Reference: About push protection

org_secret_scanning_push_protection_pattern_configuration

org_secret_scanning_push_protection_pattern_configuration.push_protection_setting_changed: The push protection setting was changed for a secret type for your org.
Fields: actor, actor_id, user_agent, request_id, user, user_id, org, org_id, business, business_id, action, _document_id, @timestamp, created_at, secret_type, secret_type_display_name, push_protection_setting
Reference: Managing GitHub Advanced Security features for your enterprise

org_secret_scanning_push_protection_pattern_configuration.updated: The push protection pattern configuration was updated for your org.
Fields: actor, actor_id, user_agent, request_id, user, user_id, org, org_id, business, business_id, action, _document_id, @timestamp
Reference: Managing GitHub Advanced Security features for your enterprise

organization_domain

organization_domain.approve: A domain was approved for an organization.
Fields: user_agent, request_id, actor, actor_id, owner_type, domain_name, org_id, business_id, owner, action, operation_type, @timestamp, created_at, _document_id
Reference: /organizations/managing-organization-settings/verifying-or-approving-a-domain-for-your-organization#approving-a-domain-for-your-organization

organization_domain.create: A domain was added to an organization.
Fields: created_at, _document_id, domain_name, action, request_id, actor_id, operation_type, @timestamp, user_agent, actor
Reference: /organizations/managing-organization-settings/verifying-or-approving-a-domain-for-your-organization#verifying-a-domain-for-your-organization

organization_domain.destroy: A domain was removed from an organization.
Fields: action, domain_name, @timestamp, _document_id, user_agent, request_id, actor, actor_id, operation_type, created_at
Reference: /organizations/managing-organization-settings/verifying-or-approving-a-domain-for-your-organization#removing-an-approved-or-verified-domain

organization_domain.verify: A domain was verified for an organization.
Fields: operation_type, domain_name, @timestamp, user_agent, request_id, actor, action, created_at, _document_id, actor_id
Reference: /organizations/managing-organization-settings/verifying-or-approving-a-domain-for-your-organization#verifying-a-domain-for-your-organization

packages

packages.package_deleted: An entire package was deleted.
Fields: actor_id, actor, org, org_id, repo, repo_id, package, action, operation_type, @timestamp, created_at, _document_id, business, business_id, actor_is_bot
Reference: /packages/learn-github-packages/deleting-and-restoring-a-package

packages.package_published: A package was published or republished to an organization.
Fields: actor_id, actor, org, org_id, repo, repo_id, package, ecosystem, version_count, is_republished, action, operation_type, @timestamp, created_at, _document_id, business, business_id, actor_is_bot

packages.package_version_deleted: A specific package version was deleted.
Fields: actor_id, actor, org, org_id, repo, repo_id, package, version, action, operation_type, @timestamp, created_at, _document_id, business, business_id, ecosystem, actor_is_bot
Reference: /packages/learn-github-packages/deleting-and-restoring-a-package

packages.package_version_published: A specific package version was published or republished to a package.
Fields: org_id, ecosystem, package, version, actor_id, user_agent, is_republished, actor, action, operation_type, @timestamp, created_at, _document_id, business, business_id, actor_is_bot

pages_protected_domain

pages_protected_domain.create: A GitHub Pages verified domain was created for an organization or enterprise.
Fields: user_agent, request_id, actor, actor_id, owner, owner_type, domain, state, action, _document_id, @timestamp, created_at, operation_type, request_access_security_header
Reference: /pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages

pages_protected_domain.delete: A GitHub Pages verified domain was deleted from an organization or enterprise.
Fields: user_agent, request_id, actor, actor_id, owner, owner_type, domain, state, action, _document_id, @timestamp, created_at, operation_type
Reference: /pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages

pages_protected_domain.verify: A GitHub Pages domain was verified for an organization or enterprise.
Fields: user_agent, request_id, actor, actor_id, owner, owner_type, domain, state, action, _document_id, @timestamp, created_at, operation_type, request_access_security_header
Reference: /pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages

passkey

passkey.register: A new passkey was added.
Fields: actor, actor_id, user_agent, request_id, nickname, user, user_id, action, _document_id, @timestamp, created_at, operation_type, request_access_security_header

passkey.remove: A new passkey was removed.
Fields: actor, actor_id, user_agent, request_id, nickname, user, user_id, action, _document_id, @timestamp, created_at, operation_type, request_access_security_header

payment_method

payment_method.create: A new payment method was added, such as a new credit card or PayPal account.
Fields: user_agent, request_id, user, operation_type, user_id, _document_id, action, actor, actor_id, @timestamp, created_at, request_access_security_header

payment_method.remove: A payment method was removed.
Fields: user, created_at, actor_id, @timestamp, user_id, action, operation_type, actor, _document_id, request_access_security_header

payment_method.update: An existing payment method was updated.
Fields: operation_type, request_id, org_id, created_at, actor_id, @timestamp, action, actor, org, user_agent, _document_id, request_access_security_header

personal_access_token

personal_access_token.access_granted: A fine-grained personal access token was granted access to resources.
Fields: user_agent, request_id, actor, actor_id, user_programmatic_access_id, user_programmatic_access_name, repository_selection, user, user_id, action, _document_id, @timestamp, created_at, operation_type
Reference: /organizations/managing-programmatic-access-to-your-organization/managing-requests-for-personal-access-tokens-in-your-organization

personal_access_token.access_revoked: A fine-grained personal access token was revoked. The token can still read public organization resources.
Fields: user_agent, request_id, actor, actor_id, user_programmatic_access_id, user_programmatic_access_name, repository_selection, user, user_id, action, _document_id, @timestamp, created_at, operation_type
Reference: /organizations/managing-programmatic-access-to-your-organization/reviewing-and-revoking-personal-access-tokens-in-your-organization

personal_access_token.create: Triggered when you create a fine-grained personal access token.
Fields: user_agent, request_id, actor, actor_id, user_programmatic_access_name, user, user_id, repository_selection, action, _document_id, @timestamp, created_at, operation_type

personal_access_token.credential_regenerated: Triggered when you regenerate a fine-grained personal access token.
Fields: user_agent, request_id, actor, actor_id, user_programmatic_access_name, user, user_id, action, _document_id, @timestamp, created_at, operation_type, request_access_security_header

personal_access_token.credential_revoked: A fine-grained personal access token was revoked by GitHub Advanced Security.
Fields: user_programmatic_access_name, user, user_id, action, _document_id, @timestamp, created_at, operation_type
Reference: /code-security/getting-started/github-security-features#secret-scanning-alerts-for-users

personal_access_token.destroy: Triggered when you delete a fine-grained personal access token.
Fields: user_agent, request_id, actor, actor_id, user_programmatic_access_name, user, user_id, explanation, action, _document_id, @timestamp, created_at, operation_type, request_access_security_header

personal_access_token.request_cancelled: A pending request for a fine-grained personal access token to access organization resources was canceled.
Fields: user_agent, request_id, actor, actor_id, user_programmatic_access_name, org, org_id, repository_selection, action, _document_id, @timestamp, created_at, operation_type, user_programmatic_access_request_id

personal_access_token.request_created: Triggered when a fine-grained personal access token was created to access organization resources and the organization requires approval before the token can access organization resources.
Fields: user_agent, request_id, actor, actor_id, user_programmatic_access_id, user_programmatic_access_name, user, user_id, repository_selection, action, _document_id, @timestamp, created_at, operation_type, user_programmatic_access_request_id
Reference: /organizations/managing-programmatic-access-to-your-organization/managing-requests-for-personal-access-tokens-in-your-organization

personal_access_token.request_denied: A request for a fine-grained personal access token to access organization resources was denied.
Fields: actor, actor_id, user_agent, request_id, user_programmatic_access_name, org, org_id, repository_selection, action, _document_id, @timestamp, created_at, operation_type, user_programmatic_access_request_id
Reference: /organizations/managing-programmatic-access-to-your-organization/managing-requests-for-personal-access-tokens-in-your-organization

personal_access_token.update: A fine-grained personal access token was updated.
Fields: user_agent, request_id, actor, actor_id, user_programmatic_access_name, user, user_id, repository_selection, action, _document_id, @timestamp, created_at, operation_type
Reference: /authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens#fine-grained-personal-access-tokens

profile_picture

profile_picture.update: A profile picture was updated.
Fields: user, actor_id, user_id, @timestamp, created_at, owner, action, _document_id, request_id, user_agent, actor, operation_type
Reference: /account-and-profile/setting-up-and-managing-your-github-profile/customizing-your-profile/personalizing-your-profile

project

project.access: A project board visibility was changed.
Fields: actor_id, actor, user_agent, operation_type, user, created_at, user_id, action, request_id, _document_id, @timestamp

project.close: A project board was closed.
Fields: org_id, user_agent, request_id, operation_type, @timestamp, created_at, repo_id, org, _document_id, project_id, action, actor, actor_id, repo, project_kind
Reference: Closing a project (classic)

project.create: A project board was created.
Fields: operation_type, user, _document_id, request_id, user_id, user_agent, @timestamp, actor_id, action, created_at, actor

project.delete: A project board was deleted.
Fields: request_id, action, actor_id, operation_type, actor, user_id, @timestamp, created_at, _document_id, user_agent, user

project.link: A repository was linked to a project board.
Fields: repo_id, action, actor_id, org_id, user_agent, request_id, actor, operation_type, @timestamp, _document_id, created_at, org, repo

project.open: A project board was reopened.
Fields: actor, request_id, actor_id, action, user_id, project_id, _document_id, user_agent, operation_type, user, @timestamp, created_at, project_kind, project_name
Reference: Reopening a closed project (classic)

project.rename: A project board was renamed.
Fields: action, created_at, request_id, actor_id, old_name, operation_type, @timestamp, repo, _document_id, user_agent, org_id, business_id, actor, repo_id, org, business

project.unlink: A repository was unlinked from a project board.
Fields: repo, repo_id, operation_type, actor, action, created_at, actor_id, _document_id, request_id, @timestamp, user_agent, org, org_id

project.update_org_permission: The project's base-level permission for all organization members was changed or removed.
Fields: actor, org, @timestamp, _document_id, operation_type, created_at, request_id, actor_id, action, org_id, user_agent

project.update_team_permission: A team's project board permission level was changed or when a team was added or removed from a project board.
Fields: created_at, org_id, operation_type, org, actor_id, _document_id, request_id, team, @timestamp, action, user_agent, actor

project.update_user_permission: A user was added to or removed from a project board or had their permission level changed.
Fields: request_id, user_id, operation_type, @timestamp, actor_id, user, user_agent, actor, created_at, org, _document_id, org_id, action, programmatic_access_type

project_field

project_field.create: A field was created in a project board.
Fields: user_agent, request_id, actor, actor_id, org, org_id, action, _document_id, @timestamp, created_at, operation_type, request_access_security_header
Reference: /issues/planning-and-tracking-with-projects/understanding-fields

project_field.delete: A field was deleted in a project board.
Fields: user_agent, request_id, actor, actor_id, org, org_id, action, _document_id, @timestamp, created_at, operation_type, request_access_security_header
Reference: /issues/planning-and-tracking-with-projects/understanding-fields/deleting-custom-fields

project_view

project_view.create: A view was created in a project board.
Fields: user_agent, request_id, actor, actor_id, org, org_id, action, _document_id, @timestamp, created_at, operation_type, request_access_security_header
Reference: /issues/planning-and-tracking-with-projects/customizing-views-in-your-project/managing-your-views

project_view.delete: A view was deleted in a project board.
Fields: user_agent, request_id, actor, actor_id, org, org_id, action, _document_id, @timestamp, created_at, operation_type, request_access_security_header
Reference: /issues/planning-and-tracking-with-projects/customizing-views-in-your-project/managing-your-views

protected_branch

protected_branch.authorized_users_teams: The users, teams, or integrations allowed to bypass a branch protection were changed.
Fields: repo, action, org_id, user_agent, name, created_at, _document_id, operation_type, actor, repo_id, org, request_id, actor_id, oauth_application_id, @timestamp, programmatic_access_type
Reference: /repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches

protected_branch.branch_allowances: A protected branch allowance was given to a specific user, team or integration.
Fields: user_agent, request_id, token_id, hashed_token, programmatic_access_type, actor, actor_id, name, authorized_actors, policy, repo, repo_id, public_repo, org, org_id, action, _document_id, @timestamp, created_at, operation_type, business, business_id, request_access_security_header

protected_branch.create: Branch protection was enabled on a branch.
Fields: operation_type, repo_id, user_id, @timestamp, user_agent, repo, name, org_id, user, _document_id, request_id, actor, actor_id, org, action, created_at, authorized_actor_names, token_scopes, required_deployments_enforcement_level, merge_queue_enforcement_level, create_protected

protected_branch.destroy: Branch protection was disabled on a branch.
Fields: name, repo, @timestamp, actor, org, actor_id, request_id, repo_id, org_id, operation_type, action, user_agent, created_at, _document_id, token_scopes, required_deployments_enforcement_level, merge_queue_enforcement_level, create_protected

protected_branch.dismiss_stale_reviews: Enforcement of dismissing stale pull requests was updated on a branch.
Fields: user_agent, dismiss_stale_reviews_on_push, org_id, action, created_at, request_id, _document_id, @timestamp, actor_id, repo_id, operation_type, actor, repo, org, name, programmatic_access_type

protected_branch.dismissal_restricted_users_teams: Enforcement of restricting users and/or teams who can dismiss reviews was updated on a branch.
Fields: repo, repo_id, actor, oauth_application_id, authorized_actors_only, authorized_actors, created_at, user_agent, name, _document_id, org_id, request_id, @timestamp, actor_id, org, action, operation_type, programmatic_access_type

protected_branch.policy_override: A branch protection requirement was overridden by a repository administrator.
Fields: repo_id, created_at, actor, reasons, @timestamp, before, after, actor_id, repo, operation_type, user_agent, branch, overridden_codes, org, org_id, action, _document_id, request_id, referrer, business, business_id, deploy_key_fingerprint, token_scopes, programmatic_access_type, compliant_pull_request_ids, rule_suite_id

protected_branch.rejected_ref_update: A branch update attempt was rejected.
Fields: repo, org, @timestamp, created_at, _document_id, business, org_id, operation_type, request_id, repo_id, actor, branch, before, overridden_codes, after, action, reasons, actor_id, business_id, deploy_key_fingerprint, token_scopes, programmatic_access_type, compliant_pull_request_ids, actor_is_bot, rule_suite_id

protected_branch.update_admin_enforced: Branch protection was enforced for repository administrators.
Fields: request_id, actor_id, admin_enforced, operation_type, user_agent, actor, org, name, repo, @timestamp, action, repo_id, org_id, _document_id, created_at, token_scopes, programmatic_access_type

protected_branch.update_allow_deletions_enforcement_level: Branch deletion was enabled or disabled for a protected branch.
Fields: name, operation_type, request_id, repo, @timestamp, org_id, org, action, allow_deletions_enforcement_level, _document_id, created_at, actor_id, user_agent, actor, repo_id, request_access_security_header

protected_branch.update_allow_force_pushes_enforcement_level: Force pushes were enabled or disabled for a branch.
Fields: org_id, actor_id, name, _document_id, actor, repo, operation_type, request_id, allow_force_pushes_enforcement_level, @timestamp, org, action, created_at, user_agent, repo_id, token_scopes, programmatic_access_type

protected_branch.update_ignore_approvals_from_contributors: Ignoring of approvals from contributors to a pull request was enabled or disabled for a branch.
Fields: actor, actor_id, user_agent, request_id, name, ignore_approvals_from_contributors, repo, repo_id, public_repo, org, org_id, action, _document_id, @timestamp, created_at, operation_type, business, business_id
Reference: /repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule

protected_branch.update_linear_history_requirement_enforcement_level: Required linear commit history was enabled or disabled for a branch.
Fields: actor_id, action, user_agent, operation_type, actor, linear_history_requirement_enforcement_level, repo, request_id, name, org_id, repo_id, org, @timestamp, created_at, _document_id, programmatic_access_type

protected_branch.update_lock_allows_fetch_and_merge: Fork syncing was enabled or disabled for a read-only branch
Fields: actor, actor_id, user_agent, request_id, name, lock_allows_fetch_and_merge, repo, repo_id, public_repo, org, org_id, action, _document_id, @timestamp, created_at, operation_type, programmatic_access_type, request_access_security_header
Reference: repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#lock-branch

protected_branch.update_lock_branch_enforcement_level: The enforcement of a branch lock was updated.
Fields: actor, actor_id, user_agent, request_id, name, enforcement_level, lock_branch_enforcement_level, repo, repo_id, public_repo, org, org_id, action, _document_id, @timestamp, created_at, operation_type, business, business_id, programmatic_access_type, request_access_security_header
Reference: /repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#lock-branch

protected_branch.update_merge_queue_enforcement_level: Enforcement of the merge queue was modified for a branch.
Fields: actor, actor_id, user_agent, request_id, name, merge_queue_enforcement_level, repo, repo_id, public_repo, action, _document_id, @timestamp, created_at, operation_type
Reference: /repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-merge-queue

protected_branch.update_name: A branch name pattern was updated for a branch.
Fields: user_agent, request_id, actor, actor_id, name, old_name, repo, repo_id, org, org_id, action, operation_type, @timestamp, created_at, _document_id, public_repo, programmatic_access_type, request_access_security_header

protected_branch.update_pull_request_reviews_enforcement_level: Enforcement of required pull request reviews was updated for a branch. Can be 0 (deactivated), 1 (non-admins), or 2 (everyone).
Fields: name, org_id, _document_id, actor_id, @timestamp, business_id, request_id, pull_request_reviews_enforcement_level, org, repo, action, business, user_agent, created_at, repo_id, operation_type, actor, token_scopes, programmatic_access_type

protected_branch.update_require_code_owner_review: Enforcement of required code owner review was updated for a branch.
Fields: org_id, created_at, require_code_owner_review, operation_type, name, user_agent, action, @timestamp, actor, actor_id, repo, request_id, org, repo_id, _document_id, programmatic_access_type

protected_branch.update_require_last_push_approval: Someone other than the person who pushed the last code-modifying commit to the branch must approve pull requests for the branch.
Fields: actor, actor_id, user_agent, request_id, name, require_last_push_approval, repo, repo_id, public_repo, action, _document_id, @timestamp, created_at, operation_type, programmatic_access_type, request_access_security_header
Reference: /repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-pull-request-reviews-before-merging

protected_branch.update_required_approving_review_count: Enforcement of the required number of approvals before merging was updated on a branch.
Fields: required_approving_review_count, repo, request_id, repo_id, created_at, actor, operation_type, user_agent, name, org_id, action, actor_id, _document_id, org, @timestamp, programmatic_access_type

protected_branch.update_required_status_checks_enforcement_level: Enforcement of required status checks was updated for a branch.
Fields: actor, org_id, user_agent, @timestamp, _document_id, name, repo, action, business_id, repo_id, business, actor_id, operation_type, created_at, request_id, required_status_checks_enforcement_level, org, token_scopes, programmatic_access_type

protected_branch.update_signature_requirement_enforcement_level: Enforcement of required commit signing was updated for a branch.
Fields: operation_type, name, @timestamp, created_at, _document_id, request_id, repo_id, org, org_id, action, actor, actor_id, signature_requirement_enforcement_level, repo, user_agent, programmatic_access_type

protected_branch.update_strict_required_status_checks_policy: Enforcement of required status checks was updated for a branch.
Fields: request_id, actor_id, _document_id, org, @timestamp, created_at, repo_id, org_id, user_agent, name, actor, repo, operation_type, action, strict_required_status_checks_policy, programmatic_access_type

public_key

public_key.create: An SSH key was added to a user account or a deploy key was added to a repository.
Fields: read_only, user_agent, actor_id, operation_type, created_at, _document_id, key, fingerprint, actor, action, user, user_id, @timestamp, request_id, title, token_scopes, programmatic_access_type
Reference: /authentication/connecting-to-github-with-ssh/adding-a-new-ssh-key-to-your-github-account

public_key.delete: An SSH key was removed from a user account or a deploy key was removed from a repository.
Fields: fingerprint, user_agent, read_only, explanation, repo, @timestamp, action, key, operation_type, _document_id, actor, title, request_id, actor_id, repo_id, created_at, token_scopes, programmatic_access_type
Reference: /authentication/keeping-your-account-and-data-secure/reviewing-your-ssh-keys

public_key.unverification_failure: A user account's SSH key or a repository's deploy key was unable to be unverified.
Fields: user_agent, request_id, title, key, fingerprint, read_only, user, user_id, action, _document_id, @timestamp, created_at, operation_type, token_scopes
Reference: /authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys

public_key.unverify: A user account's SSH key or a repository's deploy key was unverified.
Fields: created_at, operation_type, _document_id, title, request_id, key, action, actor, read_only, explanation, repo_id, @timestamp, actor_id, repo, user_agent, fingerprint
Reference: /authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys

public_key.update: A user account's SSH key or a repository's deploy key was updated.
Fields: actor, user_agent, key, fingerprint, read_only, repo_id, operation_type, created_at, actor_id, repo, action, _document_id, request_id, title, @timestamp, programmatic_access_type
Reference: /authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys

public_key.verification_failure: A user account's SSH key or a repository's deploy key was unable to be verified.
Fields: repo_id, actor, key, fingerprint, @timestamp, request_id, actor_id, oauth_application_id, title, action, user_agent, created_at, repo, read_only, operation_type, _document_id, user, user_id, programmatic_access_type
Reference: /authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys

public_key.verify: A user account's SSH key or a repository's deploy key was verified.
Fields: operation_type, user, @timestamp, _document_id, action, created_at, key, fingerprint, actor_id, actor, title, user_agent, user_id, request_id, read_only, token_scopes, programmatic_access_type
Reference: /authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys

pull_request

pull_request.close: A pull request was closed without being merged.
Fields: user_agent, request_id, actor, actor_id, pull_request_id, action, operation_type, @timestamp, created_at, _document_id, pull_request_url, programmatic_access_type, actor_is_bot
Reference: /pull-requests/collaborating-with-pull-requests/incorporating-changes-from-a-pull-request/closing-a-pull-request

pull_request.converted_to_draft: A pull request was converted to a draft.
Fields: user_agent, request_id, actor, actor_id, pull_request_id, business_id, action, operation_type, @timestamp, created_at, _document_id, pull_request_url, token_scopes, programmatic_access_type, request_access_security_header
Reference: /pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/changing-the-stage-of-a-pull-request#converting-a-pull-request-to-a-draft

pull_request.create: A pull request was created.
Fields: user_agent, request_id, actor, actor_id, pull_request_id, user_id, action, operation_type, @timestamp, created_at, _document_id, pull_request_url, programmatic_access_type, actor_is_bot
Reference: /pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/creating-a-pull-request

pull_request.create_review_request: A review was requested on a pull request.
Fields: user_agent, request_id, actor, actor_id, pull_request_id, business_id, org_id, reviewer_type, reviewer, reviewer_id, action, operation_type, @timestamp, created_at, _document_id, pull_request_url, programmatic_access_type
Reference: /pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/about-pull-request-reviews

pull_request.in_progress: A pull request was marked as in progress.
Fields: user_agent, request_id, actor, actor_id, pull_request_id, business_id, action, operation_type, @timestamp, created_at, _document_id

pull_request.indirect_merge: A pull request was considered merged because the pull request's commits were merged into the target branch.
Fields: user_agent, request_id, actor, actor_id, pull_request_id, business_id, action, operation_type, @timestamp, created_at, _document_id, pull_request_url, programmatic_access_type

pull_request.merge: A pull request was merged.
Fields: user_agent, request_id, actor, actor_id, pull_request_id, action, operation_type, @timestamp, created_at, _document_id, pull_request_url, token_scopes, programmatic_access_type, actor_is_bot
Reference: /pull-requests/collaborating-with-pull-requests/incorporating-changes-from-a-pull-request/merging-a-pull-request

pull_request.ready_for_review: A pull request was marked as ready for review.
Fields: user_agent, request_id, actor, actor_id, pull_request_id, business_id, action, operation_type, @timestamp, created_at, _document_id, pull_request_url, token_scopes, programmatic_access_type, request_access_security_header
Reference: /pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/changing-the-stage-of-a-pull-request#marking-a-pull-request-as-ready-for-review

pull_request.remove_review_request: A review request was removed from a pull request.
Fields: user_agent, request_id, actor, actor_id, pull_request_id, business_id, org_id, reviewer_type, reviewer, reviewer_id, action, operation_type, @timestamp, created_at, _document_id, pull_request_url, programmatic_access_type
Reference: /pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/about-pull-request-reviews

pull_request.reopen: A pull request was reopened after previously being closed.
Fields: user_agent, request_id, actor, actor_id, pull_request_id, action, operation_type, @timestamp, created_at, _document_id, pull_request_url, programmatic_access_type

pull_request_review_comment

pull_request_review_comment.create: A review comment was added to a pull request.
Fields: user_agent, request_id, actor, actor_id, comment_id, action, operation_type, @timestamp, created_at, _document_id, token_scopes, programmatic_access_type, request_access_security_header
Reference: /pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/about-pull-request-reviews

pull_request_review_comment.delete: A review comment on a pull request was deleted.
Fields: user_agent, actor, @timestamp, _document_id, repo, created_at, request_id, comment_id, actor_id, repo_id, action, operation_type, token_scopes, programmatic_access_type

pull_request_review_comment.update: A review comment on a pull request was changed.
Fields: operation_type, user_agent, request_id, actor_id, action, created_at, actor, _document_id, @timestamp, comment_id, token_scopes, programmatic_access_type

pull_request_review

pull_request_review.delete: A review on a pull request was deleted.
Fields: user_agent, request_id, actor, actor_id, pull_request_id, review_id, action, operation_type, @timestamp, created_at, _document_id, pull_request_url, token_scopes, programmatic_access_type, request_access_security_header

pull_request_review.dismiss: A review on a pull request was dismissed.
Fields: user_agent, request_id, actor, actor_id, pull_request_id, business_id, review_id, action, operation_type, @timestamp, created_at, _document_id, pull_request_url, programmatic_access_type
Reference: /pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/dismissing-a-pull-request-review

pull_request_review.submit: A review on a pull request was submitted.
Fields: user_agent, request_id, actor, actor_id, pull_request_id, review_id, action, operation_type, @timestamp, created_at, _document_id, pull_request_url, programmatic_access_type
Reference: /pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/reviewing-proposed-changes-in-a-pull-request#submitting-your-review

repo

repo.access: The visibility of a repository changed.
Fields: repo_id, user, request_id, operation_type, @timestamp, actor_id, user_id, created_at, user_agent, actor, action, repo, visibility, _document_id, previous_visibility, programmatic_access_type
Reference: /repositories/managing-your-repositorys-settings-and-features/managing-repository-settings/setting-repository-visibility

repo.actions_enabled: GitHub Actions was enabled for a repository.
Fields: user_agent, request_id, actor, actor_id, created_at, repo, repo_id, org, org_id, action, operation_type, @timestamp, _document_id, token_scopes, programmatic_access_type
Reference: organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#using-the-audit-log-api

repo.add_member: A collaborator was added to a repository.
Fields: visibility, repo, created_at, user_agent, operation_type, @timestamp, _document_id, actor, actor_id, repo_id, user, request_id, action, user_id, oauth_application_id, org, org_id, token_scopes, programmatic_access_type
Reference: /account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/inviting-collaborators-to-a-personal-repository

repo.add_topic: A topic was added to a repository.
Fields: action, user_agent, actor, repo, repo_id, user, org, org_id, request_id, actor_id, topic, @timestamp, _document_id, user_id, created_at, operation_type, programmatic_access_type
Reference: /repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/classifying-your-repository-with-topics

repo.advanced_security_disabled: GitHub Advanced Security was disabled for a repository.
Fields: user_agent, request_id, actor, actor_id, org, org_id, repository, repository_id, business, business_id, action, operation_type, @timestamp, created_at, _document_id, programmatic_access_type, actor_is_bot, request_access_security_header
Reference: /repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository

repo.advanced_security_enabled: GitHub Advanced Security was enabled for a repository.
Fields: user_agent, request_id, actor, actor_id, org, org_id, repository, repository_id, business, business_id, action, operation_type, @timestamp, created_at, _document_id, public_repo, programmatic_access_type, actor_is_bot
Reference: /repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository

repo.archived: A repository was archived.
Fields: repo_id, user_agent, user_id, created_at, @timestamp, repo, user, operation_type, visibility, action, actor_id, actor, _document_id, request_id, token_scopes, programmatic_access_type
Reference: /repositories/archiving-a-github-repository

repo.change_merge_setting: Pull request merge options were changed for a repository.
Fields: actor, oauth_application_id, user_agent, request_id, created_at, @timestamp, _document_id, actor_id, operation_type, action, public_repo, token_scopes, programmatic_access_type, actor_is_bot

repo.code_scanning_analysis_deleted: Code scanning analysis for a repository was deleted.
Fields: user_agent, request_id, actor, actor_id, oauth_application_id, repo, repo_id, org, org_id, action, operation_type, @timestamp, created_at, _document_id, public_repo, tool, category, request_access_security_header
Reference: /rest/code-scanning#delete-a-code-scanning-analysis-from-a-repository

repo.code_scanning_autofix_disabled: Autofix for code scanning alerts was disabled for a repository.
Fields: actor, actor_id, user_agent, request_id, repo, repo_id, public_repo, org, org_id, action, _document_id, @timestamp, created_at, operation_type, business, business_id, actor_is_bot, request_access_security_header

repo.code_scanning_autofix_enabled: Autofix for code scanning alerts was enabled for a repository.
Fields: actor, actor_id, user_agent, request_id, repo, repo_id, public_repo, org, org_id, action, _document_id, @timestamp, created_at, operation_type, business, business_id, actor_is_bot, request_access_security_header

repo.code_scanning_configuration_for_branch_deleted: A code scanning configuration for a branch of a repository was deleted.
Fields: actor, actor_id, user_agent, request_id, tool, branch, category, repo, repo_id, public_repo, org, org_id, business, business_id, action, _document_id, @timestamp, created_at, operation_type
Reference: Resolving code scanning alerts

repo.codeql_disabled: Code scanning using the default setup was disabled for a repository.
Fields: user_agent, request_id, hashed_token, programmatic_access_type, actor, actor_id, token_id, token_scopes, repo, repo_id, public_repo, org, org_id, action, _document_id, @timestamp, created_at, operation_type, request_access_security_header
Reference: /code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning

repo.codeql_enabled: Code scanning using the default setup was enabled for a repository.
Fields: actor, actor_id, user_agent, request_id, repo, repo_id, public_repo, org, org_id, action, _document_id, @timestamp, created_at, operation_type, business, business_id, query_suite, threat_model, languages, request_access_security_header
Reference: /code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning

repo.codeql_updated: Code scanning using the default setup was updated for a repository.
Fields: actor, actor_id, user_agent, request_id, query_suite, threat_model, languages, repo, repo_id, public_repo, org, org_id, action, _document_id, @timestamp, created_at, operation_type, business, business_id, actor_is_bot
Reference: /code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning

repo.config.disable_collaborators_only: The interaction limit for collaborators only was disabled.
Fields: user_agent, actor, actor_id, repo_id, _document_id, action, created_at, repo, operation_type, @timestamp, request_id
Reference: /communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository

repo.config.disable_contributors_only: The interaction limit for prior contributors only was disabled in a repository.
Fields: repo, @timestamp, request_id, actor, _document_id, user_agent, actor_id, repo_id, action, operation_type, created_at
Reference: /communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository

repo.config.disable_sockpuppet_disallowed: The interaction limit for existing users only was disabled in a repository.
Fields: actor, request_id, repo_id, action, user_agent, _document_id, @timestamp, created_at, actor_id, repo, operation_type
Reference: /communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository

repo.config.enable_collaborators_only: The interaction limit for collaborators only was enabled in a repository Users that are not collaborators or organization members were unable to interact with a repository for a set duration.
Fields: actor, oauth_application_id, created_at, action, request_id, repo_id, repo, @timestamp, _document_id, user_agent, actor_id, operation_type
Reference: /communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository

repo.config.enable_contributors_only: The interaction limit for prior contributors only was enabled in a repository Users that are not prior contributors, collaborators or organization members were unable to interact with a repository for a set duration.
Fields: user_agent, request_id, operation_type, created_at, actor, org, action, actor_id, repo, repo_id, org_id, @timestamp, _document_id
Reference: /communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository

repo.config.enable_sockpuppet_disallowed: The interaction limit for existing users was enabled in a repository New users aren't able to interact with a repository for a set duration Existing users of the repository, contributors, collaborators or organization members are able to interact with a repository.
Fields: actor, operation_type, created_at, user_agent, request_id, action, actor_id, repo, repo_id, @timestamp, _document_id
Reference: /communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository

repo.create: A repository was created.
Fields: repo, user_id, visibility, repo_id, user, request_id, actor_id, action, operation_type, request_category, @timestamp, created_at, _document_id, actor, user_agent, org, oauth_application_id, org_id, request_method, business, business_id, public_repo, token_scopes, programmatic_access_type, actor_is_bot
Reference: /repositories/creating-and-managing-repositories/creating-a-new-repository

repo.create_actions_secret: A GitHub Actions secret was created for a repository.
Fields: user_agent, request_id, actor, actor_id, key, repo, repo_id, action, operation_type, @timestamp, created_at, _document_id, token_scopes, programmatic_access_type
Reference: Using secrets in GitHub Actions

repo.create_actions_variable: A GitHub Actions variable was created for a repository.
Fields: actor, actor_id, user_agent, request_id, key, visibility, repo, repo_id, public_repo, org, org_id, action, _document_id, @timestamp, created_at, operation_type, business, business_id, request_access_security_header
Reference: Store information in variables

repo.create_integration_secret: A Codespaces or Dependabot secret was created for a repository.
Fields: user_agent, request_id, actor, actor_id, key, visibility, integration, repo, repo_id, action, operation_type, @timestamp, created_at, _document_id, public_repo, programmatic_access_type, request_access_security_header

repo.destroy: A repository was deleted.
Fields: repo, _document_id, user_agent, user_id, actor, action, user, repo_id, operation_type, request_category, actor_id, visibility, request_id, created_at, @timestamp, request_method, oauth_application_id, token_scopes, programmatic_access_type, actor_is_bot
Reference: /repositories/creating-and-managing-repositories/deleting-a-repository

repo.disk_archive: A repository was archived on disk.
Fields: actor_id, repo, operation_type, @timestamp, created_at, request_id, _document_id, repo_id, actor, action, user_agent
Reference: /repositories/archiving-a-github-repository/archiving-repositories

repo.download_zip: A source code archive of a repository was downloaded as a ZIP file.
Fields: user_agent, request_id, actor, actor_id, visibility, repo, repo_id, org, org_id, action, _document_id, @timestamp, created_at, operation_type, public_repo, token_scopes, programmatic_access_type, actor_is_bot
Reference: /repositories/working-with-files/using-files/downloading-source-code-archives

repo.override_unlock: The repository was unlocked.
Fields: user_agent, request_id, actor, actor_id, user, user_id, repo, repo_id, action, operation_type, @timestamp, created_at, _document_id

repo.pages_cname: A GitHub Pages custom domain was modified in a repository.
Fields: actor, @timestamp, visibility, repo, repo_id, user, request_id, actor_id, cname, user_agent, user_id, created_at, _document_id, action, operation_type, old_cname, programmatic_access_type

repo.pages_create: A GitHub Pages site was created.
Fields: actor_id, user, _document_id, user_id, visibility, action, user_agent, operation_type, repo_id, created_at, @timestamp, request_id, actor, repo, programmatic_access_type

repo.pages_destroy: A GitHub Pages site was deleted.
Fields: created_at, user_id, action, request_id, user, repo, user_agent, _document_id, actor_id, @timestamp, actor, visibility, operation_type, repo_id, programmatic_access_type

repo.pages_https_redirect_disabled: HTTPS redirects were disabled for a GitHub Pages site.
Fields: user, actor_id, repo_id, _document_id, user_agent, actor, visibility, user_id, request_id, repo, @timestamp, operation_type, action, created_at, programmatic_access_type, request_access_security_header

repo.pages_https_redirect_enabled: HTTPS redirects were enabled for a GitHub Pages site.
Fields: request_id, @timestamp, user_agent, user_id, created_at, visibility, actor, actor_id, user, operation_type, repo_id, action, repo, _document_id, request_access_security_header

repo.pages_private: A GitHub Pages site visibility was changed to private.
Fields: user_agent, request_id, actor, actor_id, visibility, repo, repo_id, org, org_id, action, operation_type, @timestamp, created_at, _document_id

repo.pages_public: A GitHub Pages site visibility was changed to public.
Fields: user_agent, request_id, actor, actor_id, visibility, repo, repo_id, org, org_id, action, operation_type, @timestamp, created_at, _document_id, programmatic_access_type, request_access_security_header

repo.pages_soft_delete: A GitHub Pages site was soft-deleted because its owner's plan changed.
Fields: visibility, repo, repo_id, public_repo, org, org_id, action, _document_id, @timestamp, created_at, operation_type, request_access_security_header

repo.pages_soft_delete_restore: A GitHub Pages site that was previously soft-deleted was restored.
Fields: actor, actor_id, user_agent, request_id, visibility, repo, repo_id, public_repo, org, org_id, action, _document_id, @timestamp, created_at, operation_type, request_access_security_header

repo.pages_source: A GitHub Pages source was modified.
Fields: user_id, actor_id, operation_type, user_agent, actor, @timestamp, repo_id, user, _document_id, request_id, visibility, repo, created_at, action, programmatic_access_type

repo.register_self_hosted_runner: A new self-hosted runner was registered.
Fields: actor_id, repo, operation_type, action, @timestamp, actor, user_agent, created_at, _document_id, request_id, repo_id, request_access_security_header
Reference: Adding self-hosted runners

repo.remove_actions_secret: A GitHub Actions secret was deleted for a repository.
Fields: user_agent, request_id, actor, actor_id, key, repo, repo_id, org, org_id, action, operation_type, @timestamp, created_at, _document_id, token_scopes, programmatic_access_type
Reference: Using secrets in GitHub Actions

repo.remove_actions_variable: A GitHub Actions variable was deleted for a repository.
Fields: actor, actor_id, user_agent, request_id, key, repo, repo_id, public_repo, org, org_id, action, _document_id, @timestamp, created_at, operation_type, business, business_id, request_access_security_header
Reference: Store information in variables

repo.remove_integration_secret: A Codespaces or Dependabot secret was deleted for a repository.
Fields: user_agent, request_id, actor, actor_id, key, integration, repo, repo_id, org, org_id, action, operation_type, @timestamp, created_at, _document_id, public_repo, request_access_security_header

repo.remove_member: A collaborator was removed from a repository.
Fields: request_id, user, business, action, actor_id, org, org_id, actor, created_at, repo_id, user_agent, business_id, user_id, operation_type, @timestamp, _document_id, visibility, repo, token_scopes, programmatic_access_type
Reference: /account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/removing-a-collaborator-from-a-personal-repository

repo.remove_self_hosted_runner: A self-hosted runner was removed.
Fields: request_id, actor_id, repo_id, @timestamp, _document_id, repo, org_id, action, operation_type, user_agent, actor, created_at, org, token_scopes, programmatic_access_type
Reference: Removing self-hosted runners

repo.remove_topic: A topic was removed from a repository.
Fields: user, action, repo_id, user_agent, topic, operation_type, user_id, org, org_id, actor, business, request_id, repo, @timestamp, created_at, _document_id, actor_id, business_id, programmatic_access_type

repo.rename: A repository was renamed.
Fields: user_agent, @timestamp, request_id, actor_id, actor, old_name, repo, user_id, created_at, user, action, operation_type, visibility, repo_id, _document_id, programmatic_access_type
Reference: /repositories/creating-and-managing-repositories/renaming-a-repository

repo.self_hosted_runner_offline: The runner application was stopped. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.
Fields: repo_id, repo, org_id, org, runner_id, runner_name, action, _document_id, operation_type, created_at, @timestamp
Reference: Monitoring and troubleshooting self-hosted runners

repo.self_hosted_runner_online: The runner application was started. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.
Fields: repo_id, repo, org_id, org, runner_id, runner_name, action, _document_id, operation_type, created_at, @timestamp
Reference: Monitoring and troubleshooting self-hosted runners

repo.self_hosted_runner_updated: The runner application was updated. This event is not included in the JSON/CSV export.
Fields: repo_id, runner_id, runner_name, source_version, target_version, runner_group_id, runner_group_name
Reference: Self-hosted runners

repo.set_actions_fork_pr_approvals_policy: The setting for requiring approvals for workflows from public forks was changed for a repository.
Fields: user_agent, request_id, actor, actor_id, visibility, policy, repo, repo_id, org, org_id, action, _document_id, @timestamp, created_at, operation_type, business, business_id, public_repo
Reference: /repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#configuring-required-approval-for-workflows-from-public-forks

repo.set_actions_private_fork_pr_approvals_policy: The policy for requiring approval for fork pull request workflows from collaborators without write access to private repos was changed for a repository.
Fields: actor, actor_id, user_agent, request_id, visibility, policy, repo, repo_id, public_repo, org, org_id, action, _document_id, @timestamp, created_at, operation_type
Reference: /repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#enabling-workflows-for-forks-of-private-repositories

repo.set_actions_retention_limit: The retention period for GitHub Actions artifacts and logs in a repository was changed.
Fields: user_agent, request_id, actor, actor_id, visibility, limit, repo, repo_id, user, user_id, action, operation_type, @timestamp, created_at, _document_id
Reference: /repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#configuring-the-retention-period-for-github-actions-artifacts-and-logs-in-your-repository

repo.set_default_workflow_permissions: The default permissions granted to the GITHUB_TOKEN when running workflows were changed for a repository.
Fields: actor, actor_id, user_agent, request_id, visibility, repo, repo_id, public_repo, user, user_id, action, _document_id, @timestamp, created_at, operation_type, request_access_security_header
Reference: /repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#setting-the-permissions-of-the-github_token-for-your-repository

repo.set_fork_pr_workflows_policy: Triggered when the policy for workflows on private repository forks is changed.
Fields: user_agent, request_id, actor, actor_id, visibility, policy, repo, repo_id, user, user_id, action, operation_type, @timestamp, created_at, _document_id
Reference: /repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#enabling-workflows-for-private-repository-forks

repo.set_workflow_permission_can_approve_pr: The policy for allowing GitHub Actions to create and approve pull requests was changed for a repository.
Fields: actor, actor_id, user_agent, request_id, visibility, repo, repo_id, public_repo, user, user_id, action, _document_id, @timestamp, created_at, operation_type, request_access_security_header
Reference: /repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#preventing-github-actions-from-creating-or-approving-pull-requests

repo.staff_unlock: An enterprise owner or GitHub staff (with permission from a repository administrator) temporarily unlocked the repository.
Fields: @timestamp, _document_id, user_agent, actor_id, created_at, actor, repo_id, action, org, org_id, request_id, repo, operation_type

repo.temporary_access_granted: Temporary access was enabled for a repository.
Fields: actor, actor_id, user_agent, request_id, user, user_id, repo, repo_id, public_repo, action, _document_id, @timestamp, created_at, operation_type, business, business_id
Reference: Accessing user-owned repositories in your enterprise

repo.transfer: A user accepted a request to receive a transferred repository.
Fields: @timestamp, user_id, _document_id, request_id, actor_id, repo_id, owner, user, old_user, action, operation_type, created_at, user_agent, repo, visibility, repo_was, actor
Reference: /repositories/creating-and-managing-repositories/transferring-a-repository

repo.transfer_outgoing: A repository was transferred to another repository network.
Fields: user_agent, request_id, actor, actor_id, repo, repo_id, new_nwo, visibility, org, org_id, action, _document_id, @timestamp, created_at, operation_type, public_repo, request_access_security_header

repo.transfer_start: A user sent a request to transfer a repository to another user or organization.
Fields: @timestamp, _document_id, operation_type, user_id, request_id, user, action, user_agent, created_at, actor, visibility, repo_id, actor_id, repo, request_access_security_header

repo.unarchived: A repository was unarchived.
Fields: actor, request_id, actor_id, repo, operation_type, created_at, _document_id, repo_id, user, @timestamp, visibility, user_agent, user_id, action, programmatic_access_type
Reference: /repositories/archiving-a-github-repository

repo.update_actions_access_settings: The setting to control how a repository was used by GitHub Actions workflows in other repositories was changed.
Fields: user_agent, request_id, actor, actor_id, visibility, policy, old_policy, repo, repo_id, org, org_id, action, _document_id, @timestamp, created_at, operation_type, business, business_id

repo.update_actions_secret: A GitHub Actions secret was updated for a repository.
Fields: user_agent, request_id, actor, actor_id, oauth_application_id, key, repo, repo_id, org, org_id, action, operation_type, @timestamp, created_at, _document_id, business, business_id, token_scopes, programmatic_access_type
Reference: Using secrets in GitHub Actions

repo.update_actions_settings: A repository administrator changed GitHub Actions policy settings for a repository.
Fields: user_agent, request_id, actor, actor_id, visibility, repo, repo_id, org, org_id, action, operation_type, @timestamp, created_at, _document_id, new_policy, old_policy, updated_access_policy, programmatic_access_type, actor_is_bot

repo.update_actions_variable: A GitHub Actions variable was updated for a repository.
Fields: actor, actor_id, user_agent, request_id, key, visibility, repo, repo_id, public_repo, org, org_id, action, _document_id, @timestamp, created_at, operation_type, business, business_id, request_access_security_header
Reference: Store information in variables

repo.update_default_branch: The default branch for a repository was changed.
Fields: user_agent, request_id, actor, actor_id, visibility, repo, repo_id, user, user_id, action, operation_type, @timestamp, created_at, _document_id, token_scopes, programmatic_access_type, actor_is_bot

repo.update_integration_secret: A Codespaces or Dependabot secret was updated for a repository.
Fields: user_agent, request_id, actor, actor_id, key, visibility, integration, repo, repo_id, org, org_id, action, operation_type, @timestamp, created_at, _document_id, public_repo, token_scopes, programmatic_access_type, request_access_security_header

repo.update_member: A user's permission to a repository was changed.
Fields: user_agent, action, _document_id, actor, repo_id, created_at, oauth_application_id, user, @timestamp, repo, operation_type, request_id, org_id, actor_id, visibility, old_permission, org, user_id, old_base_role, old_repo_permission, old_repo_base_role, new_repo_base_role, new_repo_permission, token_scopes, programmatic_access_type, actor_is_bot

repository_branch_protection_evaluation

repository_branch_protection_evaluation.disable: Branch protections were disabled for the repository.
Fields: actor, actor_id, user_agent, request_id, repo, repo_id, org, org_id, business_id, user, user_id, business, action, _document_id, @timestamp, created_at, operation_type, request_access_security_header
Reference: /repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule

repository_branch_protection_evaluation.enable: Branch protections were enabled for this repository.
Fields: actor, actor_id, user_agent, request_id, repo, repo_id, org, org_id, business_id, user, user_id, business, action, _document_id, @timestamp, created_at, operation_type, request_access_security_header
Reference: /repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule

repository_image

repository_image.create: An image to represent a repository was uploaded.
Fields: user_agent, operation_type, created_at, actor_id, repo_id, action, request_id, actor, content_type, repo, @timestamp, _document_id, user, user_id, request_access_security_header

repository_image.destroy: An image to represent a repository was deleted.
Fields: content_type, created_at, actor_id, user_id, operation_type, request_id, _document_id, actor, repo_id, user_agent, repo, user, action, @timestamp, request_access_security_header

repository_invitation

repository_invitation.accept: An invitation to join a repository was accepted.
Fields: actor_id, created_at, request_id, repo, invitee, operation_type, actor, repo_id, _document_id, action, user_agent, inviter, @timestamp, token_scopes, programmatic_access_type

repository_invitation.cancel: An invitation to join a repository was canceled.
Fields: inviter, action, operation_type, _document_id, repo_id, repo, @timestamp, user_agent, invitee, created_at, request_id, actor, actor_id, request_access_security_header

repository_invitation.create: An invitation to join a repository was sent.
Fields: _document_id, actor, actor_id, @timestamp, invitee, action, request_id, inviter, repo, created_at, user_agent, repo_id, operation_type, token_scopes, programmatic_access_type

repository_invitation.reject: An invitation to join a repository was declined.
Fields: repo, _document_id, actor, invitee, action, @timestamp, request_id, actor_id, operation_type, created_at, inviter, user_agent, repo_id

repository_ruleset

repository_ruleset.create: A repository ruleset was created.
Fields: actor, actor_id, user_agent, request_id, name, repo, repo_id, public_repo, org, org_id, action, _document_id, @timestamp, created_at, operation_type, business, business_id, ruleset_id, ruleset_name, ruleset_enforcement, ruleset_source_type, ruleset_rules, ruleset_conditions, ruleset_bypass_actors, request_access_security_header
Reference: /repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/creating-rulesets-for-a-repository

repository_ruleset.destroy: A repository ruleset was deleted.
Fields: actor, actor_id, user_agent, request_id, name, repo, repo_id, public_repo, org, org_id, action, _document_id, @timestamp, created_at, operation_type, ruleset_id, ruleset_name, ruleset_enforcement, ruleset_source_type, ruleset_rules, ruleset_bypass_actors, request_access_security_header
Reference: /repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/managing-rulesets-for-a-repository#deleting-a-ruleset

repository_ruleset.update: A repository ruleset was edited.
Fields: actor, actor_id, user_agent, request_id, old_name, repo, repo_id, public_repo, org, org_id, action, _document_id, @timestamp, created_at, operation_type, business, business_id, ruleset_id, ruleset_name, ruleset_enforcement, ruleset_source_type, ruleset_rules_updated, ruleset_conditions_added, ruleset_conditions_deleted, ruleset_old_enforcement, ruleset_rules_added, ruleset_rules_deleted, ruleset_old_name, ruleset_conditions_updated, ruleset_bypass_actors_added, ruleset_bypass_actors_deleted, ruleset_bypass_actors_updated, actor_is_bot
Reference: /repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/managing-rulesets-for-a-repository#editing-a-ruleset

repository_secret_scanning_automatic_validity_checks

repository_secret_scanning_automatic_validity_checks.disabled: Automatic partner validation checks have been disabled at the repository level
Fields: actor, actor_id, user_agent, request_id, user, user_id, repo, repo_id, public_repo, org, org_id, action, _document_id, @timestamp, created_at, operation_type, business, business_id, actor_is_bot, request_access_security_header
Reference: /repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#allowing-validity-checks-for-partner-patterns-in-a-repository

repository_secret_scanning_automatic_validity_checks.enabled: Automatic partner validation checks have been enabled at the repository level
Fields: actor, actor_id, user_agent, request_id, user, user_id, repo, repo_id, public_repo, org, org_id, action, _document_id, @timestamp, created_at, operation_type, business, business_id, actor_is_bot, request_access_security_header
Reference: /repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#allowing-validity-checks-for-partner-patterns-in-a-repository

repository_secret_scanning_custom_pattern

repository_secret_scanning_custom_pattern.create: A custom pattern was created for secret scanning in a repository.
Fields: user_agent, request_id, actor, actor_id, user, user_id, repo, repo_id, org, org_id, action, _document_id, @timestamp, created_at, operation_type, business, business_id, public_repo
Reference: Defining custom patterns for secret scanning

repository_secret_scanning_custom_pattern.delete: A custom pattern was removed from secret scanning in a repository.
Fields: user_agent, request_id, actor, actor_id, user, user_id, repo, repo_id, org, org_id, action, _document_id, @timestamp, created_at, operation_type, business, business_id, public_repo
Reference: Defining custom patterns for secret scanning

repository_secret_scanning_custom_pattern.publish: A custom pattern was published for secret scanning in a repository.
Fields: actor, actor_id, user_agent, request_id, user, user_id, repo, repo_id, public_repo, org, org_id, action, _document_id, @timestamp, created_at, operation_type, business, business_id, actor_is_bot
Reference: Defining custom patterns for secret scanning

repository_secret_scanning_custom_pattern.update: Changes to a custom pattern were saved and a dry run was executed for secret scanning in a repository.
Fields: user_agent, request_id, actor, actor_id, user, user_id, repo, repo_id, org, org_id, action, _document_id, @timestamp, created_at, operation_type, business, business_id, public_repo
Reference: Defining custom patterns for secret scanning

repository_secret_scanning_custom_pattern_push_protection

repository_secret_scanning_custom_pattern_push_protection.disabled: Push protection for a custom pattern for secret scanning was disabled for your repository.
Fields: actor, actor_id, user_agent, request_id, user, user_id, repo, repo_id, public_repo, org, org_id, action, _document_id, @timestamp, created_at, operation_type, business, business_id
Reference: Defining custom patterns for secret scanning

repository_secret_scanning_custom_pattern_push_protection.enabled: Push protection for a custom pattern for secret scanning was enabled for your repository.
Fields: actor, actor_id, user_agent, request_id, user, user_id, repo, repo_id, public_repo, org, org_id, action, _document_id, @timestamp, created_at, operation_type, business, business_id, actor_is_bot
Reference: Defining custom patterns for secret scanning

repository_secret_scanning

repository_secret_scanning.disable: Secret scanning was disabled for a repository.
Fields: user_agent, request_id, actor, actor_id, created_at, user, user_id, repo, repo_id, org, org_id, action, operation_type, @timestamp, _document_id, public_repo, programmatic_access_type
Reference: About secret scanning

repository_secret_scanning.enable: Secret scanning was enabled for a repository.
Fields: user_agent, request_id, actor, actor_id, created_at, user, user_id, repo, repo_id, org, org_id, action, operation_type, @timestamp, _document_id, programmatic_access_type

repository_secret_scanning_non_provider_patterns

repository_secret_scanning_non_provider_patterns.disabled: Secret scanning for non-provider patterns was disabled at the repository level.
Fields: actor, actor_id, user_agent, request_id, repo, repo_id, public_repo, org, org_id, action, _document_id, @timestamp, created_at, operation_type, business, business_id, actor_is_bot, request_access_security_header
Reference: Supported secret scanning patterns

repository_secret_scanning_non_provider_patterns.enabled: Secret scanning for non-provider patterns was enabled at the repository level.
Fields: actor, actor_id, user_agent, request_id, repo, repo_id, public_repo, org, org_id, action, _document_id, @timestamp, created_at, operation_type, business, business_id, actor_is_bot, request_access_security_header
Reference: Supported secret scanning patterns

repository_secret_scanning_push_protection_bypass_list

repository_secret_scanning_push_protection_bypass_list.add: A role or team was added to the push protection bypass list at the repository level.
Fields: actor, actor_id, user_agent, request_id, repo, repo_id, public_repo, action, _document_id, @timestamp, created_at, operation_type, request_access_security_header
Reference: About push protection

repository_secret_scanning_push_protection_bypass_list.disable: Push protection settings for "Users who can bypass push protection for secret scanning" changed from "Specific roles or teams" to "Anyone with write access" at the repository level.
Fields: actor, actor_id, user_agent, request_id, repo, repo_id, public_repo, org, org_id, action, _document_id, @timestamp, created_at, operation_type, business, business_id, actor_is_bot, request_access_security_header
Reference: About push protection

repository_secret_scanning_push_protection_bypass_list.enable: Push protection settings for "Users who can bypass push protection for secret scanning" changed from "Anyone with write access" to "Specific roles or teams" at the repository level.
Fields: actor, actor_id, user_agent, request_id, repo, repo_id, public_repo, org, org_id, action, _document_id, @timestamp, created_at, operation_type, business, business_id, actor_is_bot, request_access_security_header
Reference: About push protection

repository_secret_scanning_push_protection_bypass_list.remove: A role or team was removed from the push protection bypass list at the repository level.
Fields: actor, actor_id, user_agent, request_id, repo, repo_id, public_repo, action, _document_id, @timestamp, created_at, operation_type, request_access_security_header
Reference: About push protection

repository_secret_scanning_push_protection

repository_secret_scanning_push_protection.disable: Secret scanning push protection was disabled for a repository.
Fields: user_agent, request_id, actor, actor_id, user, user_id, repo, repo_id, org, org_id, action, _document_id, @timestamp, created_at, operation_type, business, business_id, public_repo, programmatic_access_type, request_access_security_header
Reference: About push protection

repository_secret_scanning_push_protection.enable: Secret scanning push protection was enabled for a repository.
Fields: user_agent, request_id, actor, actor_id, user, user_id, repo, repo_id, org, org_id, action, _document_id, @timestamp, created_at, operation_type, business, business_id, public_repo, programmatic_access_type, request_access_security_header
Reference: About push protection

restrict_notification_delivery

restrict_notification_delivery.disable: Email notification restrictions for an organization or enterprise were disabled.
Fields: user_agent, request_id, actor, actor_id, business, business_id, owner, action, operation_type, @timestamp, created_at, _document_id
Reference: Restricting email notifications for your organization, Restricting email notifications for your enterprise

restrict_notification_delivery.enable: Email notification restrictions for an organization or enterprise were enabled.
Fields: user_agent, request_id, actor, actor_id, org, org_id, business_id, owner, action, operation_type, @timestamp, created_at, _document_id
Reference: Restricting email notifications for your organization, Restricting email notifications for your enterprise

secret_scanning_alert

secret_scanning_alert.create: GitHub detected a secret and created a secret scanning alert.
Fields: repo_id, repo, actor_id, actor, org_id, org, business, business_id, number, secret_type, secret_type_display_name, publicly_leaked, multi_repo
Reference: /code-security/secret-scanning/managing-alerts-from-secret-scanning

secret_scanning_alert.reopen: A secret scanning alert was reopened.
Fields: user_agent, request_id, actor, actor_id, number, user, user_id, repo, repo_id, public_repo, action, _document_id, @timestamp, created_at, operation_type, token_scopes, secret_type_display_name

secret_scanning_alert.resolve: A secret scanning alert was resolved.
Fields: user_agent, request_id, actor, actor_id, number, resolution, user, user_id, repo, repo_id, public_repo, action, _document_id, @timestamp, created_at, operation_type, token_scopes, secret_type, secret_type_display_name, publicly_leaked, multi_repo, request_access_security_header

secret_scanning_alert.revoke: A secret scanning alert was revoked.
Fields: user_agent, request_id, actor, actor_id, number, user, user_id, repo, repo_id, public_repo, org, org_id, action, _document_id, @timestamp, created_at, operation_type, business, business_id

secret_scanning_alert.validate: A secret scanning alert was validated.
Fields: repo_id, repo, actor_id, actor, org_id, org, business, business_id, number, created_at, previous_validity, current_validity, secret_type, secret_type_display_name, publicly_leaked, multi_repo
Reference: /code-security/secret-scanning/managing-alerts-from-secret-scanning

secret_scanning

secret_scanning.disable: Secret scanning was disabled for all existing repositories.
Fields: user_agent, request_id, actor, actor_id, user, user_id, org, org_id, action, operation_type, @timestamp, created_at, _document_id
Reference: About secret scanning

secret_scanning.enable: Secret scanning was enabled for all existing repositories.
Fields: user_agent, request_id, actor, actor_id, created_at, user, user_id, org, org_id, action, operation_type, @timestamp, _document_id
Reference: About secret scanning

secret_scanning_new_repos

secret_scanning_new_repos.disable: Secret scanning was disabled for all new repositories.
Fields: user_agent, request_id, actor, actor_id, user, user_id, org, org_id, action, operation_type, @timestamp, created_at, _document_id, token_scopes
Reference: About secret scanning

secret_scanning_new_repos.enable: Secret scanning was enabled for all new repositories.
Fields: user_agent, request_id, actor, actor_id, created_at, user, user_id, org, org_id, action, operation_type, @timestamp, _document_id
Reference: About secret scanning

secret_scanning_push_protection

secret_scanning_push_protection.bypass: Triggered when a user bypasses the push protection on a secret detected by secret scanning.
Fields: repo_id, repo, actor_id, actor, org_id, org, business, business_id, number, created_at, push_protection_bypass_reason, secret_type, secret_type_display_name, publicly_leaked, multi_repo, request_reviewer, request_reviewer_id
Reference: About push protection

secret_scanning_push_protection_request

secret_scanning_push_protection_request.approve: A request to bypass secret scanning push protection was approved by a user.
Fields: actor, actor_id, user_agent, request_id, number, repository, repository_id, public_repo, org, org_id, action, _document_id, @timestamp, created_at, operation_type, business, business_id, actor_is_bot, request_access_security_header
Reference: About push protection

secret_scanning_push_protection_request.deny: A request to bypass secret scanning push protection was denied by a user.
Fields: actor, actor_id, user_agent, request_id, number, repository, repository_id, public_repo, org, org_id, action, _document_id, @timestamp, created_at, operation_type, business, business_id, actor_is_bot, request_access_security_header, request_reviewer_comment
Reference: About push protection

secret_scanning_push_protection_request.request: A user requested to bypass secret scanning push protection.
Fields: actor, actor_id, user_agent, request_id, number, repository, repository_id, public_repo, org, org_id, action, _document_id, @timestamp, created_at, operation_type, business, business_id, actor_is_bot, request_access_security_header
Reference: Working with secret scanning and push protection

security_key

security_key.register: A security key was registered for an account.
Fields: actor_id, user, created_at, user_id, action, operation_type, request_id, @timestamp, _document_id, actor, user_agent, request_access_security_header

security_key.remove: A security key was removed from an account.
Fields: actor, user_id, operation_type, _document_id, user_agent, @timestamp, request_id, actor_id, action, created_at, user, request_access_security_header

ssh_certificate_authority

ssh_certificate_authority.create: An SSH certificate authority for an organization or enterprise was created.
Fields: @timestamp, _document_id, fingerprint, operation_type, openssh_public_key, org_id, actor, created_at, org, action, user_agent, actor_id, request_id
Reference: Managing your organization's SSH certificate authorities, Enforcing policies for security settings in your enterprise

ssh_certificate_authority.destroy: An SSH certificate authority for an organization or enterprise was deleted.
Fields: created_at, _document_id, fingerprint, operation_type, actor, org_id, openssh_public_key, org, action, user_agent, actor_id, @timestamp, request_id
Reference: Managing your organization's SSH certificate authorities, Enforcing policies for security settings in your enterprise

ssh_certificate_requirement

ssh_certificate_requirement.disable: The requirement for members to use SSH certificates to access an organization resources was disabled.
Fields: user, user_agent, operation_type, _document_id, request_id, org, org_id, created_at, actor, action, user_id, business, business_id, @timestamp, actor_id
Reference: Managing your organization's SSH certificate authorities, Enforcing policies for security settings in your enterprise

ssh_certificate_requirement.enable: The requirement for members to use SSH certificates to access an organization resources was enabled.
Fields: actor_id, user_id, org, operation_type, request_id, @timestamp, _document_id, actor, user, action, org_id, created_at, user_agent
Reference: Managing your organization's SSH certificate authorities, Enforcing policies for security settings in your enterprise

staff

staff.set_domain_token_expiration: The verification code expiry time for an organization or enterprise domain was set.
Fields: user_agent, request_id, actor, actor_id, owner_type, domain_name, business_id, token_expires_at, owner, action, operation_type, @timestamp, created_at, _document_id

staff.unverify_domain: An organization or enterprise domain was unverified.
Fields: user_agent, request_id, actor, actor_id, created_at, owner_type, domain_name, owner, action, operation_type, @timestamp, _document_id

staff.verify_domain: An organization or enterprise domain was verified.
Fields: user_agent, request_id, actor, actor_id, domain_name, action, operation_type, @timestamp, created_at, _document_id

successor_invitation

successor_invitation.accept: Triggered when you accept a succession invitation.
Fields: user_agent, request_id, actor, actor_id, action, operation_type, @timestamp, created_at, _document_id
Reference: /account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/maintaining-ownership-continuity-of-your-personal-accounts-repositories

successor_invitation.cancel: Triggered when you cancel a succession invitation.
Fields: user_agent, request_id, actor, actor_id, action, operation_type, @timestamp, created_at, _document_id
Reference: /account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/maintaining-ownership-continuity-of-your-personal-accounts-repositories

successor_invitation.create: Triggered when you create a succession invitation.
Fields: user_agent, request_id, actor, actor_id, action, operation_type, @timestamp, created_at, _document_id
Reference: /account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/maintaining-ownership-continuity-of-your-personal-accounts-repositories

successor_invitation.decline: Triggered when you decline a succession invitation.
Fields: user_agent, request_id, actor, actor_id, action, operation_type, @timestamp, created_at, _document_id
Reference: /account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/maintaining-ownership-continuity-of-your-personal-accounts-repositories

successor_invitation.revoke: Triggered when you revoke a succession invitation.
Fields: user_agent, request_id, actor, actor_id, action, operation_type, @timestamp, created_at, _document_id
Reference: /account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/maintaining-ownership-continuity-of-your-personal-accounts-repositories

team

team.add_member: A member of an organization was added to a team.
Fields: user_agent, request_id, org_id, user_id, team, user, @timestamp, actor_id, created_at, operation_type, _document_id, org, action, actor, programmatic_access_type
Reference: /organizations/organizing-members-into-teams/adding-organization-members-to-a-team

team.add_repository: A team was given access and permissions to a repository.
Fields: actor, team, action, operation_type, request_id, created_at, @timestamp, org, repo, actor_id, _document_id, repo_id, user_agent, org_id, token_scopes, programmatic_access_type, actor_is_bot

team.change_parent_team: A child team was created or a child team's parent was changed.
Fields: org, @timestamp, created_at, _document_id, team, action, operation_type, actor, request_id, actor_id, user_agent, org_id, programmatic_access_type, request_access_security_header
Reference: /organizations/organizing-members-into-teams/moving-a-team-in-your-organizations-hierarchy

team.change_privacy: A team's privacy level was changed.
Fields: user_agent, request_id, org, action, team, created_at, operation_type, actor_id, org_id, @timestamp, actor, _document_id
Reference: /organizations/organizing-members-into-teams/changing-team-visibility

team.create: A new team is created.
Fields: request_id, actor_id, oauth_application_id, action, operation_type, @timestamp, org_id, user_agent, team, org, actor, created_at, _document_id, token_scopes, programmatic_access_type

team.demote_maintainer: A user was demoted from a team maintainer to a team member.
Fields: user_agent, request_id, actor, actor_id, team, org, org_id, user, user_id, action, operation_type, @timestamp, created_at, _document_id, token_scopes
Reference: /organizations/organizing-members-into-teams/assigning-the-team-maintainer-role-to-a-team-member

team.destroy: A team was deleted.
Fields: created_at, org, team, org_id, actor_id, actor, action, @timestamp, user_agent, request_id, operation_type, _document_id, programmatic_access_type

team.promote_maintainer: A user was promoted from a team member to a team maintainer.
Fields: user_agent, request_id, actor, actor_id, team, org, org_id, user, user_id, action, operation_type, @timestamp, created_at, _document_id, programmatic_access_type, request_access_security_header
Reference: /organizations/organizing-members-into-teams/assigning-the-team-maintainer-role-to-a-team-member#promoting-an-organization-member-to-team-maintainer

team.remove_member: An organization member was removed from a team.
Fields: request_id, operation_type, created_at, actor_id, org, org_id, team, user_id, actor, user, action, @timestamp, user_agent, _document_id, token_scopes, programmatic_access_type
Reference: /organizations/organizing-members-into-teams/removing-organization-members-from-a-team

team.remove_repository: A repository was removed from a team's control.
Fields: request_id, org_id, repo, repo_id, action, _document_id, actor, @timestamp, actor_id, user_agent, created_at, team, org, operation_type, programmatic_access_type

team.rename: A team's name was changed.
Fields: name, user_agent, created_at, team, operation_type, actor_id, org, action, request_id, actor, org_id, @timestamp, _document_id, programmatic_access_type, request_access_security_header

team.update_repository_permission: A team's permission to a repository was changed.
Fields: actor_id, team, org_id, @timestamp, org, _document_id, old_permission, request_id, repo, action, repo_id, actor, operation_type, created_at, user_agent, permission, new_repo_permission, new_repo_base_role, old_repo_permission, old_repo_base_role, token_scopes, programmatic_access_type

team_discussions

team_discussions.clear: An organization owner cleared the setting to allow team discussions for an organization or enterprise.
Fields: business_id, operation_type, @timestamp, user_agent, actor, actor_id, user, business, action, request_id, created_at, user_id, _document_id

team_discussions.disable: Team discussions were disabled for an organization.
Fields: org_id, action, operation_type, request_id, actor, org, created_at, actor_id, user, user_id, @timestamp, user_agent, _document_id
Reference: Organizations and teams documentation

team_discussions.enable: Team discussions were enabled for an organization.
Fields: actor_id, @timestamp, action, _document_id, user_agent, user_id, business_id, request_id, user, business, operation_type, actor, created_at

team_sync_tenant

team_sync_tenant.disabled: Team synchronization with a tenant was disabled.
Fields: action, created_at, actor, request_id, org_id, actor_id, operation_type, _document_id, @timestamp, org, user_agent
Reference: Managing team synchronization for your organization, Managing team synchronization for organizations in your enterprise

team_sync_tenant.enabled: Team synchronization with a tenant was enabled.
Fields: org_id, business_id, actor, created_at, user_agent, @timestamp, operation_type, business, actor_id, org, request_id, action, _document_id
Reference: Managing team synchronization for your organization, Managing team synchronization for organizations in your enterprise

trusted_device

trusted_device.register: A new trusted device was added.
Fields: user_agent, request_id, actor, actor_id, user, user_id, action, operation_type, @timestamp, created_at, _document_id

trusted_device.remove: A trusted device was removed.
Fields: user_agent, request_id, actor, actor_id, user, user_id, action, operation_type, @timestamp, created_at, _document_id

two_factor_authentication

two_factor_authentication.add_factor: A secondary authentication factor was added to a user account.
Fields: actor, actor_id, user_agent, request_id, user, user_id, action, _document_id, @timestamp, created_at, operation_type, request_access_security_header
Reference: /authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication

two_factor_authentication.disabled: Two-factor authentication was disabled for a user account.
Fields: actor, action, _document_id, user_agent, user, user_id, actor_id, created_at, operation_type, request_id, @timestamp, request_access_security_header
Reference: Disabling two-factor authentication for your personal account

two_factor_authentication.enabled: Two-factor authentication was enabled for a user account.
Fields: actor, operation_type, user_agent, action, created_at, actor_id, @timestamp, request_id, user, user_id, _document_id, request_access_security_header
Reference: Configuring two-factor authentication

two_factor_authentication.password_reset_fallback_sms: A one-time password code was sent to a user account fallback phone number.
Fields: operation_type, created_at, user, user_id, action, @timestamp, request_id, _document_id, user_agent

two_factor_authentication.recovery_codes_regenerated: Two factor recovery codes were regenerated for a user account.
Fields: request_id, actor, operation_type, _document_id, user_id, action, user, user_agent, actor_id, @timestamp, created_at

two_factor_authentication.remove_factor: A secondary authentication factor was removed from a user account.
Fields: actor, actor_id, user_agent, request_id, user, user_id, action, _document_id, @timestamp, created_at, operation_type, request_access_security_header
Reference: /authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication

two_factor_authentication.sign_in_fallback_sms: A one-time password code was sent to a user account fallback phone number.
Fields: request_id, operation_type, user_id, user, user_agent, created_at, _document_id, action, @timestamp

two_factor_authentication.update_fallback: The two-factor authentication fallback for a user account was changed.
Fields: @timestamp, created_at, _document_id, user, user_id, operation_type, user_agent, action, request_id, actor, actor_id

user

user.add_email: An email address was added to a user account.
Fields: action, request_id, user, user_id, user_agent, operation_type, _document_id, actor_id, actor, email, @timestamp, created_at, request_access_security_header
Reference: /account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-email-preferences/adding-an-email-address-to-your-github-account

user.async_delete: An asynchronous job was started to destroy a user account, eventually triggering a user.delete event.
Fields: actor, user_id, created_at, user, @timestamp, _document_id, request_id, actor_id, operation_type, user_agent, action, request_access_security_header

user.audit_log_export: Audit log entries were exported.
Fields: actor_id, user, action, request_id, actor, @timestamp, _document_id, user_agent, user_id, operation_type, created_at

user.block_user: A user was blocked by another user.
Fields: action, actor, user_id, _document_id, actor_id, @timestamp, user_agent, user, request_id, blocked_user, operation_type, created_at, programmatic_access_type, request_access_security_header

user.change_password: A user changed their password.
Fields: request_id, @timestamp, user_agent, actor_id, operation_type, actor, user, user_id, action, created_at, _document_id, request_access_security_header

user.codespaces_trusted_repo_access_granted: Triggered when you allow the codespaces you create for a repository to access other repositories owned by your personal account.
Fields: user_agent, request_id, actor, actor_id, user, user_id, action, operation_type, @timestamp, created_at, _document_id, programmatic_access_type
Reference: Managing access to other repositories within your codespace

user.codespaces_trusted_repo_access_revoked: Triggered when you disallow the codespaces you create for a repository to access other repositories owned by your personal account.
Fields: user_agent, request_id, actor, actor_id, user, user_id, action, operation_type, @timestamp, created_at, _document_id
Reference: Managing access to other repositories within your codespace

user.create: A new user account was created.
Fields: email, user_id, operation_type, @timestamp, request_id, user, created_at, _document_id, user_agent, actor, actor_id, action, programmatic_access_type

user.create_integration_secret: A user secret for Codespaces was created.
Fields: actor, actor_id, user_agent, request_id, key, visibility, integration, user, user_id, action, _document_id, @timestamp, created_at, operation_type, request_access_security_header

user.creation_rate_limit_exceeded: The rate of creation of user accounts, applications, issues, pull requests or other resources exceeded the configured rate limits, or too many users were followed too quickly.
Fields: user, created_at, user_agent, _document_id, operation_type, oauth_application_id, action, actor, actor_id, request_id, user_id, @timestamp, token_scopes, programmatic_access_type

user.delete: A user account was destroyed by an asynchronous job.
Fields: operation_type, created_at, user_agent, action, request_id, user_id, actor, actor_id, user, @timestamp, _document_id, request_access_security_header

user.demote: A site administrator was demoted to an ordinary user account.
Fields: @timestamp, oauth_application_id, action, user, created_at, user_agent, request_id, actor, actor_id, operation_type, _document_id, user_id, programmatic_access_type, request_access_security_header

user.destroy: A user deleted his or her account, triggering user.async_delete.
Fields: request_id, actor, user, _document_id, created_at, user_agent, user_id, operation_type, actor_id, action, @timestamp, request_access_security_header

user.failed_login: A user tried to sign in with an incorrect username, password, or two-factor authentication code.
Fields: user_id, action, operation_type, request_id, created_at, _document_id, @timestamp, user, org_id, actor, actor_id, user_agent

user.flag_as_large_scale_contributor: A user account was flagged as a large scale contributor. Only contributions from public repositories the user owns will be shown in their contribution graph, in order to prevent timeouts.
Fields: actor, actor_id, operation_type, @timestamp, request_id, user, user_id, action, _document_id, user_agent, created_at

user.forgot_password: A user requested a password reset.
Fields: action, _document_id, user_agent, request_id, user, operation_type, @timestamp, email, created_at, user_id, request_access_security_header
Reference: /authentication/keeping-your-account-and-data-secure/updating-your-github-access-credentials

user.hide_private_contributions_count: A user changed the visibility of their private contributions. The number of contributions to private repositories on the user's profile are now hidden.
Fields: user_agent, request_id, actor, actor_id, user, user_id, action, _document_id, @timestamp, created_at, operation_type, request_access_security_header
Reference: /account-and-profile/setting-up-and-managing-your-github-profile/managing-contribution-settings-on-your-profile/showing-your-private-contributions-and-achievements-on-your-profile

user.login: A user signed in.
Fields: user_agent, user_id, actor_id, @timestamp, user, action, operation_type, _document_id, request_id, created_at, actor, passkey_nickname, request_access_security_header

user.logout: A user signed out.
Fields: actor, actor_id, user_agent, request_id, user, user_id, action, _document_id, @timestamp, created_at, operation_type, request_access_security_header

user.minimize_comment: A comment made by a user was minimized.
Fields: user_agent, actor, actor_id, @timestamp, created_at, operation_type, _document_id, user, user_id, action, request_id, token_scopes, programmatic_access_type

user.new_device_used: A user signed in from a new device.
Fields: user, user_id, actor, operation_type, created_at, user_agent, actor_id, action, @timestamp, _document_id, request_id, request_access_security_header

user.promote: An ordinary user account was promoted to a site administrator.
Fields: user_id, action, actor, actor_id, user, @timestamp, created_at, user_agent, oauth_application_id, request_id, operation_type, _document_id, token_scopes, programmatic_access_type, request_access_security_header

user.recreate: A user's account was restored.
Fields: user_agent, user, action, actor_id, @timestamp, _document_id, request_id, user_id, created_at, actor, operation_type

user.remove_email: An email address was removed from a user account.
Fields: user_agent, action, @timestamp, _document_id, request_id, user, user_id, operation_type, actor, actor_id, created_at, email, token_scopes, programmatic_access_type

user.remove_integration_secret: A user secret for Codespaces was deleted.
Fields: actor, actor_id, user_agent, request_id, key, integration, user, user_id, action, _document_id, @timestamp, created_at, operation_type, request_access_security_header

user.remove_large_scale_contributor_flag: A user account was no longer flagged as a large scale contributor.
Fields: user_agent, request_id, actor, actor_id, user, user_id, action, operation_type, @timestamp, created_at, _document_id

user.rename: A username was changed.
Fields: user, action, request_id, actor_id, old_login, created_at, _document_id, actor, user_id, @timestamp, operation_type, user_agent, token_scopes, programmatic_access_type

user.report_content: Triggered when you report an issue or pull request, or a comment on an issue, pull request, or commit.
Fields: org_id, request_id, user, user_agent, action, created_at, actor, operation_type, actor_id, user_id, @timestamp, _document_id
Reference: /communities/maintaining-your-safety-on-github/reporting-abuse-or-spam

user.reset_password: A user reset their account password.
Fields: actor_id, action, user_agent, user, request_id, user_id, created_at, @timestamp, _document_id, actor, operation_type, request_access_security_header

user.show_private_contributions_count: A user changed the visibility of their private contributions. The number of contributions to private repositories on the user's profile are now shown.
Fields: @timestamp, _document_id, request_id, user_id, action, actor, user, operation_type, user_agent, actor_id, created_at, request_access_security_header
Reference: /account-and-profile/setting-up-and-managing-your-github-profile/managing-contribution-settings-on-your-profile/showing-your-private-contributions-and-achievements-on-your-profile

user.sign_in_from_unrecognized_device: A user signed in from an unrecognized device.
Fields: request_id, action, _document_id, user_agent, user, user_id, operation_type, created_at, actor, actor_id, @timestamp, request_access_security_header

user.sign_in_from_unrecognized_device_and_location: A user signed in from an unrecognized device and location.
Fields: actor, actor_id, user, user_id, @timestamp, user_agent, created_at, _document_id, request_id, action, operation_type, request_access_security_header

user.sign_in_from_unrecognized_location: A user signed in from an unrecognized location.
Fields: request_id, user_id, action, operation_type, user_agent, user, _document_id, actor, created_at, actor_id, @timestamp, request_access_security_header

user.suspend: A user account was suspended.
Fields: oauth_application_id, operation_type, actor_id, user, user_agent, request_id, actor, created_at, _document_id, @timestamp, user_id, action, token_scopes, programmatic_access_type, request_access_security_header

user.two_factor_challenge_failure: A 2FA challenge issued for a user account failed.
Fields: operation_type, created_at, _document_id, user_agent, user, actor_id, actor, user_id, @timestamp, action, request_id, request_access_security_header

user.two_factor_challenge_success: A 2FA challenge issued for a user account succeeded.
Fields: @timestamp, _document_id, user_id, operation_type, actor_id, user, actor, user_agent, request_id, action, created_at, request_access_security_header

user.two_factor_recover: A user used their 2FA recovery codes.
Fields: user_id, operation_type, user_agent, request_id, user, action, actor, actor_id, created_at, @timestamp, _document_id, request_access_security_header

user.two_factor_recovery_codes_downloaded: A user downloaded 2FA recovery codes for their account.
Fields: user_id, operation_type, actor_id, user, request_id, action, @timestamp, created_at, user_agent, actor, _document_id, request_access_security_header

user.two_factor_recovery_codes_printed: A user printed 2FA recovery codes for their account.
Fields: user, action, operation_type, user_agent, request_id, user_id, created_at, _document_id, actor, actor_id, @timestamp

user.two_factor_recovery_codes_viewed: A user viewed 2FA recovery codes for their account.
Fields: actor_id, user_agent, actor, user_id, action, created_at, user, operation_type, @timestamp, request_id, _document_id, request_access_security_header

user.two_factor_requested: A user was prompted for a two-factor authentication code.
Fields: user, actor_id, action, user_agent, request_id, created_at, _document_id, user_id, operation_type, @timestamp, actor
Reference: /authentication/securing-your-account-with-two-factor-authentication-2fa/accessing-github-using-two-factor-authentication

user.unblock_user: A user was unblocked by another user.
Fields: actor_id, action, request_id, _document_id, blocked_user, operation_type, actor, @timestamp, user_agent, user_id, user, created_at, request_access_security_header

user.unminimize_comment: A comment made by a user was unminimized.
Fields: @timestamp, user_agent, _document_id, actor_id, user, user_id, operation_type, request_id, actor, action, created_at

user.unsuspend: A user account was unsuspended.
Fields: request_id, _document_id, user, action, user_agent, actor, oauth_application_id, operation_type, actor_id, created_at, @timestamp, user_id, token_scopes, programmatic_access_type, request_access_security_header

user.update_integration_secret: A user secret for Codespaces was updated.
Fields: actor, actor_id, user_agent, request_id, key, visibility, integration, user, user_id, action, _document_id, @timestamp, created_at, operation_type, request_access_security_header

user_email

user_email.confirm_claim: An enterprise managed user claimed an email address.
Fields: actor, actor_id, user_agent, request_id, user, user_id, action, _document_id, @timestamp, created_at, operation_type, business, business_id, actor_is_bot, request_access_security_header

user_status

user_status.destroy: Triggered when you clear the status on your profile.
Fields: org, user_id, actor, message, user, actor_id, created_at, request_id, limited_availability, action, emoji, operation_type, user_agent, @timestamp, _document_id, request_access_security_header

user_status.update: Triggered when you set or change the status on your profile.
Fields: limited_availability, user, action, actor_id, message, user_id, created_at, _document_id, request_id, @timestamp, user_agent, emoji, org, actor, operation_type, token_scopes, programmatic_access_type
Reference: /account-and-profile/setting-up-and-managing-your-github-profile/customizing-your-profile/personalizing-your-profile#setting-a-status

workflows

workflows.approve_workflow_job: A workflow job was approved.
Fields: user_agent, request_id, actor, actor_id, workflow_run_id, run_number, user, user_id, repo, repo_id, business, business_id, action, operation_type, @timestamp, created_at, _document_id, public_repo, token_scopes, programmatic_access_type, request_access_security_header
Reference: Reviewing deployments

workflows.cancel_workflow_run: A workflow run was cancelled.
Fields: user_agent, request_id, actor, actor_id, created_at, started_at, event, name, workflow_run_id, head_branch, head_sha, run_number, cancelled_at, workflow_id, repo, repo_id, org, org_id, action, operation_type, @timestamp, _document_id, business, business_id, trigger_id, public_repo, programmatic_access_type, request_access_security_header
Reference: Canceling a workflow run

workflows.completed_workflow_run: A workflow status changed to completed. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.
Fields: user_agent, request_id, actor, actor_id, created_at, started_at, event, name, workflow_run_id, head_branch, head_sha, completed_at, conclusion, run_number, workflow_id, repo, repo_id, org, org_id, action, operation_type, @timestamp, _document_id, business, business_id, trigger_id, run_attempt, programmatic_access_type, actor_is_bot
Reference: Viewing workflow run history

workflows.created_workflow_run: A workflow run was create. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.
Fields: user_agent, request_id, actor, actor_id, created_at, started_at, event, name, workflow_run_id, head_branch, head_sha, workflow_id, repo, repo_id, org, org_id, action, operation_type, @timestamp, _document_id, business, business_id, trigger_id, public_repo, programmatic_access_type, actor_is_bot, request_access_security_header
Reference: Understanding GitHub Actions

workflows.delete_workflow_run: A workflow run was deleted.
Fields: user_agent, request_id, actor, actor_id, repo, repo_id, action, operation_type, @timestamp, created_at, _document_id, workflow_run_id, started_at, head_branch, head_sha, trigger_id, programmatic_access_type
Reference: Deleting a workflow run

workflows.disable_workflow: A workflow was disabled.
Fields: user_agent, request_id, actor, actor_id, repo, repo_id, workflow_id, action, operation_type, @timestamp, created_at, _document_id, public_repo, programmatic_access_type, actor_is_bot, request_access_security_header

workflows.enable_workflow: A workflow was enabled, after previously being disabled by disable_workflow.
Fields: user_agent, request_id, actor, actor_id, repo, repo_id, workflow_id, action, operation_type, @timestamp, created_at, _document_id, public_repo, programmatic_access_type, request_access_security_header

workflows.pin_workflow: A workflow was pinned.
Fields: actor, actor_id, user_agent, request_id, repo, repo_id, public_repo, workflow_id, org, org_id, business, business_id, action, _document_id, @timestamp, created_at, operation_type, actor_is_bot, request_access_security_header

workflows.prepared_workflow_job: A workflow job was started. Includes the list of secrets that were provided to the job. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.
Fields: repo_id, repo, org_id, org, business_id, business, workflow_run_id, job_name, runner_labels, is_hosted_runner, environment_name, secrets_passed, action, _document_id, operation_type, created_at, @timestamp, runner_owner_type, job_workflow_ref, calling_workflow_refs, calling_workflow_shas, imposer_repo
Reference: Events that trigger workflows

workflows.reject_workflow_job: A workflow job was rejected.
Fields: user_agent, request_id, actor, actor_id, workflow_run_id, run_number, user, user_id, repo, repo_id, action, operation_type, @timestamp, created_at, _document_id, public_repo, programmatic_access_type, request_access_security_header
Reference: Reviewing deployments

workflows.rerun_workflow_run: A workflow run was re-run.
Fields: user_agent, request_id, actor, actor_id, created_at, started_at, event, name, workflow_run_id, head_branch, head_sha, run_number, workflow_id, repo, repo_id, org, org_id, action, operation_type, @timestamp, _document_id, business, business_id, trigger_id, run_attempt, rerun_type, check_run_id, programmatic_access_type, actor_is_bot
Reference: Re-running workflows and jobs

workflows.unpin_workflow: A workflow was unpinned after previously being pinned.
Fields: actor, actor_id, user_agent, request_id, repo, repo_id, public_repo, workflow_id, org, org_id, business, business_id, action, _document_id, @timestamp, created_at, operation_type, actor_is_bot, request_access_security_header

Audit log events for your enterprise

Who can use this feature?

In this article