Security log events

Learn about security log events recorded for your personal account.

This article contains the events available in the latest version of GitHub Enterprise Server. Some of the events may not be available in previous versions.

This article contains the events that may appear in your user account's security log. For the events that can appear in an organization's audit log or the audit log for an enterprise, see Audit log events for your organization and Audit log events for your enterprise.

About security log events

The name for each audit log entry is composed of a category of events, followed by an operation type. For example, the repo.create entry refers to the create operation on the repo category. The reference information in this article is grouped by categories.

Audit log events

account

account.plan_change: The account's plan changed.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, operation_type, created_at
Reference: How GitHub billing works

actions_cache

actions_cache.delete: A GitHub Actions cache was deleted using the REST API.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, oauth_application_id, actions_cache_id, actions_cache_key, actions_cache_version, actions_cache_scope, created_at, operation_type

artifact

artifact.destroy: A workflow run artifact was manually deleted.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, created_at, operation_type

billing

billing.budget_create: A billing budget was created for a business or organization. Includes details about the budget limit, alerting preferences, and recipients.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, customer_id, target_amount, target_type, target_id, alert_enabled, status, created_at, operation_type, actor_is_bot, pricing_target_type, pricing_target_id, budget_limit_type, alert_recipient_user_ids, exclude_cost_center_usage

billing.budget_delete: A billing budget was deleted for a business or organization. Includes details about the removed budget and any alerting settings.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, customer_id, uuid, status, created_at, operation_type, actor_is_bot

billing.budget_update: A billing budget was updated for a business or organization. Includes details about the updated limit and alerting settings.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, customer_id, target_amount, target_type, target_id, alert_enabled, status, created_at, operation_type, actor_is_bot, old_target_amount, old_budget_limit_type, old_alert_enabled, old_target_id, old_pricing_target_type, old_pricing_target_id

billing.change_billing_type: The way the account pays for GitHub was changed.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, created_at, operation_type
Reference: Managing your payment and billing information

billing.change_email: The billing email address changed.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, operation_type, created_at, email
Reference: Managing your payment and billing information

billing.overage_policy_updated: The premium request paid usage policy for your GitHub account was changed.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, created_at, operation_type, actor_is_bot
Reference: /copilot/how-tos/manage-and-track-spending/manage-request-allowances#setting-a-policy-for-paid-usage

billing_customer

billing_customer.azure_subscription_linked: Azure subscription has been linked on this account.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, created_at, operation_type

billing_customer.azure_subscription_unlinked: Azure subscription has been unlinked on this account.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, created_at, operation_type

business

business.security_center_export_code_scanning_metrics: A CSV export was requested on the "CodeQL pull request alerts" page.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, query, filename, requested_at, start_date, end_date, created_at, operation_type, actor_is_bot

business.security_center_export_coverage: A CSV export was requested on the "Coverage" page.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, query, filename, requested_at, created_at, operation_type, actor_is_bot

business.security_center_export_overview_dashboard: A CSV export was requested on the "Overview Dashboard" page.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, query, filename, requested_at, start_date, end_date, created_at, operation_type, actor_is_bot

business.security_center_export_risk: A CSV export was requested on the "Risk" page.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, query, filename, requested_at, created_at, operation_type, actor_is_bot

business.set_actions_cache_retention_policy: The cache retention policy for GitHub Actions was set for an enterprise.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, name, created_at, operation_type, actor_is_bot
Reference: Enforcing policies for GitHub Actions in your enterprise

business.set_actions_cache_storage_policy: The cache storage policy for GitHub Actions was set for an enterprise.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, name, created_at, operation_type, actor_is_bot
Reference: Enforcing policies for GitHub Actions in your enterprise

business.set_actions_fork_pr_approvals_policy: The policy for requiring approvals for workflows from public forks was changed for an enterprise.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, name, policy, created_at, operation_type
Reference: Enforcing policies for GitHub Actions in your enterprise

business.set_actions_private_fork_pr_approvals_policy: The policy for requiring approval for fork pull request workflows from collaborators without write access to private repos was changed for an enterprise.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, name, policy, created_at, operation_type
Reference: Enforcing policies for GitHub Actions in your enterprise

business.set_actions_retention_limit: The retention period for GitHub Actions artifacts and logs was changed for an enterprise.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, name, limit, operation_type, created_at
Reference: Enforcing policies for GitHub Actions in your enterprise

business.set_default_workflow_permissions: The default permissions granted to the GITHUB_TOKEN when running workflows were changed for an enterprise.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, name, created_at, operation_type
Reference: Enforcing policies for GitHub Actions in your enterprise

business.set_fork_pr_workflows_policy: The policy for fork pull request workflows was changed for an enterprise.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, name, policy, operation_type, created_at
Reference: Enforcing policies for GitHub Actions in your enterprise

business.set_workflow_permission_can_approve_pr: The policy for allowing GitHub Actions to create and approve pull requests was changed for an enterprise.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, name, created_at, operation_type
Reference: Enforcing policies for GitHub Actions in your enterprise

checks

checks.auto_trigger_disabled: Automatic creation of check suites was disabled on a repository in the organization or enterprise.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, visibility, created_at, operation_type
Reference: /rest/checks#update-repository-preferences-for-check-suites

checks.auto_trigger_enabled: Automatic creation of check suites was enabled on a repository in the organization or enterprise.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, visibility, operation_type, created_at, public_repo
Reference: /rest/checks#update-repository-preferences-for-check-suites

checks.delete_logs: Logs in a check suite were deleted.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, operation_type, created_at

codespaces

codespaces.allow_permissions: A codespace using custom permissions from its devcontainer.json file was launched.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, origin_repository, created_at, operation_type

codespaces.connect: Credentials for a codespace were refreshed.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, pull_request_id, owner, name, operation_type, created_at, public_repo, actor_is_bot, machine_type, devcontainer_path

codespaces.create: A codespace was created
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, pull_request_id, owner, name, operation_type, created_at, actor_is_bot, machine_type, devcontainer_path
Reference: Creating a codespace for a repository

codespaces.destroy: A user deleted a codespace.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, pull_request_id, owner, name, operation_type, created_at
Reference: Deleting a codespace

codespaces.export_environment: A codespace was exported to a branch on GitHub.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, oauth_application_id, owner, created_at, operation_type, public_repo

codespaces.restore: A codespace was restored.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, owner, public_repo, created_at, operation_type

codespaces.start_environment: A codespace was started.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, name, owner, pull_request_id, machine_type, devcontainer_path, public_repo, created_at, operation_type

codespaces.suspend_environment: A codespace was stopped.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, owner, operation_type, created_at, public_repo

codespaces.trusted_repositories_access_update: A personal account's access and security setting for Codespaces were updated.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, operation_type, created_at
Reference: Managing access to other repositories within your codespace

copilot

copilot.cfb_seat_added: A Copilot Business or Copilot Enterprise seat was added for a user and they have received access to GitHub Copilot. This can occur as the result of directly assigning a seat for a user, assigning a seat for a team, or setting the organization to allow access for all members.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, created_at, operation_type

copilot.cfb_seat_assignment_created: A Copilot Business or Copilot Enterprise seat assignment was newly created for a user or a team, and seats are being created.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, created_at, operation_type
Reference: What is GitHub Copilot?

copilot.cfb_seat_assignment_refreshed: A seat assignment that was previously pending cancellation was re-assigned and the user will retain access to Copilot.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, created_at, operation_type

copilot.cfb_seat_assignment_reused: A Copilot Business or Copilot Enterprise seat assignment was re-created for a user who already had a seat with no pending cancellation date, and the user will retain access to Copilot.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, created_at, operation_type

copilot.cfb_seat_assignment_unassigned: A user or team's Copilot Business or Copilot Enterprise seat assignment was unassigned, and the user(s) will lose access to Copilot at the end of the current billing cycle.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, created_at, operation_type

copilot.cfb_seat_cancelled: A user's Copilot Business or Copilot Enterprise seat was canceled, and the user no longer has access to Copilot.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, created_at, operation_type, seat_assignment

copilot.cfb_seat_cancelled_by_staff: A user's Copilot Business or Copilot Enterprise seat was canceled manually by GitHub staff, and the user no longer has access to Copilot.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, created_at, operation_type

copilot.swe_agent_repo_disabled: Specific repositories were disabled from using Copilot coding agent.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, owner_type, owner, public_repo, created_at, operation_type

copilot.swe_agent_repo_enabled: Specific repositories were enabled to use Copilot coding agent.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, owner_type, owner, public_repo, created_at, operation_type

copilot.swe_agent_repo_enablement_updated: Copilot coding agent access was updated for the organization's or user's repositories.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, new_access, old_access, owner_type, owner, created_at, operation_type

dependabot_alerts

dependabot_alerts.disable: Dependabot alerts were disabled for all existing repositories.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, operation_type, created_at
Reference: /organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-for-all-existing-repositories

dependabot_alerts.enable: Dependabot alerts were enabled for all existing repositories.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, created_at, operation_type
Reference: /organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-for-all-existing-repositories

dependabot_alerts_new_repos

dependabot_alerts_new_repos.disable: Dependabot alerts were disabled for all new repositories.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, created_at, operation_type
Reference: /organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-automatically-when-new-repositories-are-added

dependabot_alerts_new_repos.enable: Dependabot alerts were enabled for all new repositories.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, operation_type, created_at
Reference: /organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-automatically-when-new-repositories-are-added

dependabot_repository_access

dependabot_repository_access.repositories_updated: The repositories that Dependabot can access were updated.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, operation_type, created_at

dependabot_security_updates

dependabot_security_updates.disable: Dependabot security updates were disabled for all existing repositories.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, operation_type, created_at
Reference: /organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization

dependabot_security_updates.enable: Dependabot security updates were enabled for all existing repositories.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, created_at, operation_type

dependabot_security_updates_new_repos

dependabot_security_updates_new_repos.disable: Dependabot security updates were disabled for all new repositories.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, created_at, operation_type
Reference: /organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization

dependabot_security_updates_new_repos.enable: Dependabot security updates were enabled for all new repositories.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, operation_type, created_at

dependency_graph

dependency_graph.disable: The dependency graph was disabled for all existing repositories.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, created_at, operation_type
Reference: /organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization

dependency_graph.enable: The dependency graph was enabled for all existing repositories.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, created_at, operation_type

dependency_graph_new_repos

dependency_graph_new_repos.disable: The dependency graph was disabled for all new repositories.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, created_at, operation_type
Reference: /organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization

dependency_graph_new_repos.enable: The dependency graph was enabled for all new repositories.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, created_at, operation_type

environment

environment.add_protection_rule: A GitHub Actions deployment protection rule was created via the API.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, name, operation_type, created_at
Reference: Managing environments for deployment

environment.create_actions_secret: A secret was created for a GitHub Actions environment.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, oauth_application_id, key, visibility, operation_type, created_at, public_repo
Reference: Managing environments for deployment

environment.create_actions_variable: A variable was created for a GitHub Actions environment.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, key, visibility, environment_name, public_repo, created_at, operation_type, actor_is_bot
Reference: Store information in variables

environment.delete: An environment was deleted.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, name, operation_type, created_at, public_repo, actor_is_bot
Reference: Managing environments for deployment

environment.remove_actions_secret: A secret was deleted for a GitHub Actions environment.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, oauth_application_id, key, operation_type, created_at, public_repo
Reference: Managing environments for deployment

environment.remove_actions_variable: A variable was deleted for a GitHub Actions environment.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, key, environment_name, public_repo, created_at, operation_type
Reference: Store information in variables

environment.remove_protection_rule: A GitHub Actions deployment protection rule was deleted via the API.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, name, operation_type, created_at, public_repo
Reference: Managing environments for deployment

environment.update_actions_secret: A secret was updated for a GitHub Actions environment.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, oauth_application_id, key, visibility, operation_type, created_at, public_repo
Reference: Managing environments for deployment

environment.update_actions_variable: A variable was updated for a GitHub Actions environment.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, key, visibility, environment_name, public_repo, created_at, operation_type
Reference: Store information in variables

environment.update_protection_rule: A GitHub Actions deployment protection rule was updated via the API.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, new_value, approvers_was, approvers, can_admins_bypass, prevent_self_review
Reference: Managing environments for deployment

gist

gist.create: A gist was created.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, gist_id, created_at, operation_type, visibility

gist.destroy: A gist was deleted.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, gist_id, visibility, created_at, operation_type

gist.visibility_change: The visibility of a gist was updated.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, operation_type, gist_id, visibility, created_at

git_signing_ssh_public_key

git_signing_ssh_public_key.create: An SSH key was added to a user account as a Git commit signing key.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, title, key, fingerprint, created_at, operation_type
Reference: /authentication/managing-commit-signature-verification/telling-git-about-your-signing-key

git_signing_ssh_public_key.delete: An SSH key was removed from a user account as a Git commit signing key.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, title, key, fingerprint, explanation, created_at, operation_type
Reference: /authentication/managing-commit-signature-verification/telling-git-about-your-signing-key

hook

hook.active_changed: A hook's active status was updated.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, created_at, name, events, active, active_was, hook_id, operation_type

hook.config_changed: A hook's configuration was changed.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, operation_type, name, hook_id, created_at, oauth_application_id, events

hook.create: A new hook was added.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, oauth_application, oauth_application_id, hook_id, events, operation_type, name, created_at
Reference: About webhooks

hook.destroy: A hook was deleted.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, events, created_at, name, operation_type, oauth_application_id, hook_id

hook.events_changed: A hook's configured events were changed.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, events, operation_type, name, events_were, created_at, hook_id, oauth_application_id

integration

integration.create: A GitHub App was created.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, operation_type, name, integration, created_at, application_client_id

integration.destroy: A GitHub App was deleted.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, name, integration, operation_type, created_at

integration.manager_added: A member of an enterprise or organization was added as a GitHub App manager.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, created_at, name, manager, operation_type, integration
Reference: /organizations/managing-programmatic-access-to-your-organization/adding-and-removing-github-app-managers-in-your-organization#giving-someone-the-ability-to-manage-all-github-apps-owned-by-the-organization

integration.manager_removed: A member of an enterprise or organization was removed from being a GitHub App manager.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, operation_type, integration, name, created_at, manager
Reference: /organizations/managing-programmatic-access-to-your-organization/adding-and-removing-github-app-managers-in-your-organization#removing-a-github-app-managers-permissions-for-the-entire-organization

integration.remove_client_secret: A client secret for a GitHub App was removed.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, name, integration, operation_type, created_at

integration.revoke_all_tokens: All user tokens for a GitHub App were requested to be revoked.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, name, integration, operation_type, created_at, application_client_id

integration.revoke_tokens: Token(s) for a GitHub App were revoked.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, name, integration, operation_type, created_at, application_client_id

integration.suspend: A GitHub App was suspended.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, name, integration, created_at, operation_type, application_client_id
Reference: /apps/maintaining-github-apps/suspending-a-github-app-installation

integration.transfer: Ownership of a GitHub App was transferred to another user or organization.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, name, transfer_to_id, requester, requester_id, created_at, transfer_to, operation_type, integration, transfer_from, transfer_from_id, transfer_from_type, transfer_to_type
Reference: /apps/maintaining-github-apps/transferring-ownership-of-a-github-app

integration.unsuspend: A GitHub App was unsuspended.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, name, integration, created_at, operation_type, application_client_id
Reference: /apps/maintaining-github-apps/suspending-a-github-app-installation

integration_installation

integration_installation.create: A GitHub App was installed.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, operation_type, name, repository_selection, created_at, integration, application_client_id
Reference: /apps/using-github-apps/authorizing-github-apps

integration_installation.destroy: A GitHub App was uninstalled.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, created_at, repository_selection, integration, operation_type, name, application_client_id
Reference: /apps/using-github-apps/reviewing-and-modifying-installed-github-apps#blocking-access

integration_installation.repositories_added: Repositories were added to a GitHub App.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, repository_selection, name, integration, operation_type, repositories_added, created_at, repositories_added_names, actor_is_bot, application_client_id
Reference: /apps/using-github-apps/reviewing-and-modifying-installed-github-apps#modifying-repository-access

integration_installation.repositories_removed: Repositories were removed from a GitHub App.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, operation_type, repository_selection, repositories_removed, integration, created_at, name, repositories_removed_names, actor_is_bot, application_client_id
Reference: /apps/using-github-apps/reviewing-and-modifying-installed-github-apps#modifying-repository-access

integration_installation.suspend: A GitHub App was suspended.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, name, repository_selection, integration, operation_type, created_at, application_client_id
Reference: /apps/using-github-apps/reviewing-and-modifying-installed-github-apps#blocking-access

integration_installation.unsuspend: A GitHub App was unsuspended.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, name, repository_selection, integration, operation_type, created_at
Reference: /apps/using-github-apps/reviewing-and-modifying-installed-github-apps#blocking-access

integration_installation.version_updated: Permissions for a GitHub App were updated.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, integration, name, operation_type, created_at, repository_selection, application_client_id
Reference: /apps/using-github-apps/approving-updated-permissions-for-a-github-app

issue_dependencies

issue_dependencies.blocked_by_add: An issue was marked as blocked by another issue.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, title, public_repo, created_at, operation_type, actor_is_bot

issue_dependencies.blocked_by_remove: The blocked by relationship between an issue and another issue was removed.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, title, public_repo, created_at, operation_type

issue_dependencies.blocking_add: An issue was marked as blocking another issue.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, title, public_repo, created_at, operation_type, actor_is_bot

issue_dependencies.blocking_remove: The blocking relationship between an issue and another issue was removed.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, title, public_repo, created_at, operation_type, actor_is_bot

marketplace_agreement_signature

marketplace_agreement_signature.create: The GitHub Marketplace Developer Agreement was signed.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, operation_type, created_at

marketplace_listing

marketplace_listing.approve: A listing was approved for inclusion in GitHub Marketplace.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, secondary_category, primary_category, operation_type, created_at, marketplace_listing, integration

marketplace_listing.change_category: A category for a listing for an app in GitHub Marketplace was changed.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, primary_category, marketplace_listing, integration, secondary_category, operation_type, created_at

marketplace_listing.create: A listing for an app in GitHub Marketplace was created.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, primary_category, created_at, oauth_application, marketplace_listing, secondary_category, oauth_application_id, operation_type

marketplace_listing.delist: A listing was removed from GitHub Marketplace.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, created_at, secondary_category, operation_type, marketplace_listing, primary_category, integration

marketplace_listing.redraft: A listing was sent back to draft state.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, secondary_category, oauth_application_id, operation_type, oauth_application, created_at, marketplace_listing, primary_category

marketplace_listing.reject: A listing was not accepted for inclusion in GitHub Marketplace.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, primary_category, secondary_category, marketplace_listing, oauth_application, oauth_application_id, operation_type, created_at

merge_queue

merge_queue.pull_request_dequeued: A pull request was removed from a merge queue.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, public_repo, created_at, operation_type

merge_queue.pull_request_queue_jump: A pull request was moved ahead in a merge queue.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, oauth_application_id, public_repo, created_at, operation_type

merge_queue.queue_cleared: A merge queue was cleared.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, public_repo, created_at, operation_type

merge_queue.update_settings: The settings for a merge queue were updated.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, max_entries_to_build, min_entries_to_merge, public_repo, created_at, operation_type

migration

migration.create: A migration file was created for transferring data from a source location (such as a GitHub.com organization or a GitHub Enterprise Server instance) to a target GitHub Enterprise Server instance.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, created_at, operation_type, actor_is_bot

oauth_access

oauth_access.create: An OAuth access token was generated.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, operation_type, created_at, oauth_application_name
Reference: /apps/oauth-apps/building-oauth-apps/authorizing-oauth-apps, Managing your personal access tokens

oauth_access.destroy: An OAuth access token was deleted.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, operation_type, created_at, explanation, oauth_application_name
Reference: /apps/oauth-apps/building-oauth-apps/authorizing-oauth-apps

oauth_access.regenerate: An OAuth access token was regenerated.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, created_at, operation_type, oauth_application_name

oauth_access.revoke: An OAuth access token was revoked.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, created_at, operation_type

oauth_access.update: An OAuth access token was updated.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, operation_type, created_at

oauth_application

oauth_application.create: An OAuth application was created.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, created_at, oauth_application_id, operation_type, oauth_application
Reference: /apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app

oauth_application.destroy: An OAuth application was deleted.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, created_at, oauth_application_id, operation_type, oauth_application
Reference: /apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app

oauth_application.generate_client_secret: An OAuth application's secret key was generated.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, oauth_application, oauth_application_id, operation_type, created_at
Reference: /apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app

oauth_application.remove_client_secret: An OAuth application's secret key was deleted.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, oauth_application, oauth_application_id, operation_type, created_at
Reference: /apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app

oauth_application.reset_secret: The secret key for an OAuth application was reset.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, oauth_application, operation_type, created_at, oauth_application_id
Reference: /apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app

oauth_application.revoke_all_tokens: All user tokens for an OAuth application were requested to be revoked.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, oauth_application, oauth_application_id, operation_type, created_at
Reference: /apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app

oauth_application.revoke_tokens: Token(s) for an OAuth application were revoked.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, oauth_application_id, oauth_application, created_at, operation_type
Reference: /apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app

oauth_application.transfer: An OAuth application was transferred from one account to another.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, operation_type, created_at, oauth_application, oauth_application_id
Reference: /apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app

oauth_authorization

oauth_authorization.create: An authorization for an OAuth application was created.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, operation_type, created_at, actor_is_bot, oauth_application_name
Reference: /apps/oauth-apps/using-oauth-apps/authorizing-oauth-apps

oauth_authorization.destroy: An authorization for an OAuth application was deleted.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, operation_type, created_at, explanation, actor_is_bot, oauth_application_name
Reference: Reviewing and revoking authorization of GitHub Apps

oauth_authorization.update: An authorization for an OAuth application was updated.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, operation_type, created_at, actor_is_bot, oauth_application_name
Reference: /apps/oauth-apps/using-oauth-apps/authorizing-oauth-apps

org

org.add_member: A user joined an organization.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, permission, operation_type, created_at, actor_is_bot

org.add_outside_collaborator: An outside collaborator was added to a repository.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, inviter, public_repo, permission, invitee, created_at, operation_type

org.advanced_security_disabled_for_new_repos: GitHub Advanced Security was disabled for new repositories in an organization.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, operation_type, created_at

org.advanced_security_disabled_on_all_repos: GitHub Advanced Security was disabled for all repositories in an organization.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, operation_type, created_at

org.advanced_security_enabled_for_new_repos: GitHub Advanced Security was enabled for new repositories in an organization.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, operation_type, created_at

org.advanced_security_enabled_on_all_repos: GitHub Advanced Security was enabled for all repositories in an organization.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, operation_type, created_at

org.remove_member: A member was removed from an organization, either manually or due to a two-factor authentication requirement.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, created_at, operation_type

org.security_center_export_code_scanning_metrics: A CSV export was requested on the CodeQL pull request alerts page.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, query, filename, requested_at, start_date, end_date, created_at, operation_type, actor_is_bot

org.security_center_export_coverage: A CSV export was requested on the Coverage page.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, query, filename, requested_at, created_at, operation_type, actor_is_bot

org.security_center_export_overview_dashboard: A CSV export was requested on the Overview Dashboard page.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, query, filename, requested_at, start_date, end_date, created_at, operation_type, actor_is_bot

org.security_center_export_risk: A CSV export was requested on the Risk page.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, query, filename, requested_at, created_at, operation_type, actor_is_bot

org.set_actions_cache_retention_policy: The cache retention policy for GitHub Actions was set for an organization.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, created_at, operation_type, actor_is_bot
Reference: /organizations/managing-organization-settings/managing-github-actions-settings-for-your-organization

org.set_actions_cache_storage_policy: The cache storage policy for GitHub Actions was set for an organization.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, created_at, operation_type, actor_is_bot
Reference: /organizations/managing-organization-settings/managing-github-actions-settings-for-your-organization

org.set_actions_fork_pr_approvals_policy: The setting for requiring approvals for workflows from public forks was changed for an organization.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, policy, created_at, operation_type
Reference: /organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#requiring-approval-for-workflows-from-public-forks

org.set_actions_private_fork_pr_approvals_policy: The policy for requiring approval for fork pull request workflows from collaborators without write access to private repos was changed for an organization.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, policy, created_at, operation_type
Reference: /organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#enabling-workflows-for-private-repository-forks

org.set_actions_retention_limit: The retention period for GitHub Actions artifacts and logs in an organization was changed.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, limit, operation_type, created_at
Reference: /organizations/managing-organization-settings/configuring-the-retention-period-for-github-actions-artifacts-and-logs-in-your-organization

org.set_default_workflow_permissions: The default permissions granted to the GITHUB_TOKEN when running workflows were changed for an organization.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, created_at, operation_type
Reference: /organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#setting-the-permissions-of-the-github_token-for-your-organization

org.set_fork_pr_workflows_policy: The policy for workflows on private repository forks was changed.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, policy, operation_type, created_at
Reference: /organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#enabling-workflows-for-private-repository-forks

org.set_workflow_permission_can_approve_pr: The policy for allowing GitHub Actions to create and approve pull requests was changed for an organization.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, created_at, operation_type
Reference: /organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#preventing-github-actions-from-creating-or-approving-pull-requests

org.update_member: A person's role was changed from owner to member or member to owner.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, created_at, old_permission, permission, operation_type

org.update_member_repository_creation_permission: The create repository permission for organization members was changed.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, permission, created_at, visibility, operation_type

org.update_member_repository_invitation_permission: An organization owner changed the policy setting for organization members inviting outside collaborators to repositories.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, permission, created_at, operation_type
Reference: Setting permissions for adding outside collaborators

pages_protected_domain

pages_protected_domain.create: A GitHub Pages verified domain was created for an organization or enterprise.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, owner, owner_type, domain, state, created_at, operation_type
Reference: /pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages

pages_protected_domain.delete: A GitHub Pages verified domain was deleted from an organization or enterprise.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, owner, owner_type, domain, state, created_at, operation_type
Reference: /pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages

pages_protected_domain.verify: A GitHub Pages domain was verified for an organization or enterprise.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, owner, owner_type, domain, state, created_at, operation_type
Reference: /pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages

passkey

passkey.register: A new passkey was added.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, nickname, created_at, operation_type

passkey.remove: A new passkey was removed.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, nickname, created_at, operation_type

payment_method

payment_method.create: A new payment method was added, such as a new credit card or PayPal account.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, operation_type, created_at

payment_method.remove: A payment method was removed.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, created_at, operation_type

payment_method.update: An existing payment method was updated.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, operation_type, created_at

personal_access_token

personal_access_token.access_granted: A fine-grained personal access token was granted access to resources.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, user_programmatic_access_id, user_programmatic_access_name, repository_selection, created_at, operation_type
Reference: /organizations/managing-programmatic-access-to-your-organization/managing-requests-for-personal-access-tokens-in-your-organization

personal_access_token.access_revoked: A fine-grained personal access token was revoked. The token can still read public organization resources.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, user_programmatic_access_id, user_programmatic_access_name, repository_selection, created_at, operation_type
Reference: /organizations/managing-programmatic-access-to-your-organization/reviewing-and-revoking-personal-access-tokens-in-your-organization

personal_access_token.create: Triggered when you create a fine-grained personal access token.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, user_programmatic_access_name, repository_selection, created_at, operation_type

personal_access_token.credential_regenerated: Triggered when you regenerate a fine-grained personal access token.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, user_programmatic_access_name, created_at, operation_type

personal_access_token.credential_revoked: A fine-grained personal access token was revoked by GitHub Advanced Security.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, user_programmatic_access_name, created_at, operation_type
Reference: /code-security/getting-started/github-security-features#secret-scanning-alerts-for-users

personal_access_token.destroy: Triggered when you delete a fine-grained personal access token.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, user_programmatic_access_name, explanation, created_at, operation_type

personal_access_token.request_cancelled: A pending request for a fine-grained personal access token to access organization resources was canceled.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, user_programmatic_access_name, repository_selection, created_at, operation_type, user_programmatic_access_request_id

personal_access_token.request_created: Triggered when a fine-grained personal access token was created to access organization resources and the organization requires approval before the token can access organization resources.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, user_programmatic_access_id, user_programmatic_access_name, repository_selection, created_at, operation_type, user_programmatic_access_request_id
Reference: /organizations/managing-programmatic-access-to-your-organization/managing-requests-for-personal-access-tokens-in-your-organization

personal_access_token.request_denied: A request for a fine-grained personal access token to access organization resources was denied.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, user_programmatic_access_name, repository_selection, created_at, operation_type, user_programmatic_access_request_id
Reference: /organizations/managing-programmatic-access-to-your-organization/managing-requests-for-personal-access-tokens-in-your-organization

personal_access_token.update: A fine-grained personal access token was updated.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, user_programmatic_access_name, repository_selection, created_at, operation_type
Reference: /authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens#fine-grained-personal-access-tokens

profile_picture

profile_picture.update: A profile picture was updated.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, created_at, owner, operation_type
Reference: Personalize your profile

project

project.access: A project board visibility was changed.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, operation_type, created_at

project.close: A project board was closed.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, operation_type, created_at, project_id, project_kind
Reference: Closing a project (classic)

project.create: A project board was created.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, operation_type, created_at

project.delete: A project board was deleted.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, operation_type, created_at

project.link: A repository was linked to a project board.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, operation_type, created_at

project.open: A project board was reopened.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, project_id, operation_type, created_at, project_kind, project_name
Reference: Reopening a closed project (classic)

project.rename: A project board was renamed.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, created_at, old_name, operation_type

project.unlink: A repository was unlinked from a project board.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, operation_type, created_at

project.update_org_permission: The project's base-level permission for all organization members was changed or removed.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, operation_type, created_at

project.update_team_permission: A team's project board permission level was changed or when a team was added or removed from a project board.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, created_at, operation_type, team

project.update_user_permission: A user was added to or removed from a project board or had their permission level changed.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, operation_type, created_at

project.visibility_private: A project's visibility was changed from public to private.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, project_id, created_at, operation_type, project_kind, project_name

project.visibility_public: A project's visibility was changed from private to public.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, project_id, created_at, operation_type, project_kind, project_name

project_collaborator

project_collaborator.add: A collaborator was added to a project.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, collaborator_type, collaborator, created_at, operation_type, actor_is_bot, public_project, project_name, project_role, old_project_role

project_collaborator.remove: A collaborator was removed from a project.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, collaborator_type, collaborator, created_at, operation_type

project_collaborator.update: A project collaborator's permission level was changed.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, public_project, project_name, collaborator_type, project_role, old_project_role, project_id, collaborator, created_at, operation_type

project_field

project_field.create: A field was created in a project board.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, created_at, operation_type
Reference: /issues/planning-and-tracking-with-projects/understanding-fields

project_field.delete: A field was deleted in a project board.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, created_at, operation_type
Reference: /issues/planning-and-tracking-with-projects/understanding-fields/deleting-custom-fields

project_view

project_view.create: A view was created in a project board.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, created_at, operation_type
Reference: /issues/planning-and-tracking-with-projects/customizing-views-in-your-project/managing-your-views

project_view.delete: A view was deleted in a project board.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, created_at, operation_type
Reference: /issues/planning-and-tracking-with-projects/customizing-views-in-your-project/managing-your-views

protected_branch

protected_branch.update_merge_queue_enforcement_level: Enforcement of the merge queue was modified for a branch.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, name, merge_queue_enforcement_level, public_repo, created_at, operation_type
Reference: /repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-merge-queue

public_key

public_key.create: An SSH key was added to a user account or a deploy key was added to a repository.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, read_only, operation_type, created_at, key, fingerprint, title
Reference: /authentication/connecting-to-github-with-ssh/adding-a-new-ssh-key-to-your-github-account

public_key.delete: An SSH key was removed from a user account or a deploy key was removed from a repository.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, fingerprint, read_only, explanation, key, operation_type, title, created_at
Reference: /authentication/keeping-your-account-and-data-secure/reviewing-your-ssh-keys

public_key.unverification_failure: A user account's SSH key or a repository's deploy key was unable to be unverified.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, title, key, fingerprint, read_only, created_at, operation_type
Reference: /authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys

public_key.unverify: A user account's SSH key or a repository's deploy key was unverified.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, created_at, operation_type, title, key, read_only, explanation, fingerprint
Reference: /authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys

public_key.update: A user account's SSH key or a repository's deploy key was updated.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, key, fingerprint, read_only, operation_type, created_at, title
Reference: /authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys

public_key.verification_failure: A user account's SSH key or a repository's deploy key was unable to be verified.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, key, fingerprint, oauth_application_id, title, created_at, read_only, operation_type
Reference: /authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys

public_key.verify: A user account's SSH key or a repository's deploy key was verified.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, operation_type, created_at, key, fingerprint, title, read_only
Reference: /authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys

repo

repo.access: The visibility of a repository changed.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, operation_type, created_at, visibility, previous_visibility
Reference: /repositories/managing-your-repositorys-settings-and-features/managing-repository-settings/setting-repository-visibility

repo.actions_enabled: GitHub Actions was enabled for a repository.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, created_at, operation_type
Reference: organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#using-the-audit-log-api

repo.add_member: A collaborator was added to a repository.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, visibility, created_at, operation_type, oauth_application_id
Reference: Inviting collaborators to a personal repository

repo.add_topic: A topic was added to a repository.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, topic, created_at, operation_type
Reference: /repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/classifying-your-repository-with-topics

repo.advanced_security_disabled: GitHub Advanced Security was disabled for a repository.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, operation_type, created_at, actor_is_bot
Reference: /repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository

repo.advanced_security_enabled: GitHub Advanced Security was enabled for a repository.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, operation_type, created_at, public_repo, actor_is_bot
Reference: /repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository

repo.archived: A repository was archived.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, created_at, operation_type, visibility
Reference: /repositories/archiving-a-github-repository

repo.change_merge_setting: Pull request merge options were changed for a repository.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, oauth_application_id, created_at, operation_type, public_repo, actor_is_bot

repo.code_scanning_analysis_deleted: Code scanning analysis for a repository was deleted.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, oauth_application_id, operation_type, created_at, public_repo, tool, category
Reference: /rest/code-scanning#delete-a-code-scanning-analysis-from-a-repository

repo.code_scanning_configuration_for_branch_deleted: A code scanning configuration for a branch of a repository was deleted.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, tool, branch, category, public_repo, created_at, operation_type
Reference: Resolving code scanning alerts

repo.config.disable_collaborators_only: The interaction limit for collaborators only was disabled.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, created_at, operation_type
Reference: /communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository

repo.config.disable_contributors_only: The interaction limit for prior contributors only was disabled in a repository.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, operation_type, created_at
Reference: /communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository

repo.config.disable_sockpuppet_disallowed: The interaction limit for existing users only was disabled in a repository.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, created_at, operation_type
Reference: /communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository

repo.config.enable_collaborators_only: The interaction limit for collaborators only was enabled in a repository Users that are not collaborators or organization members were unable to interact with a repository for a set duration.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, oauth_application_id, created_at, operation_type
Reference: /communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository

repo.config.enable_contributors_only: The interaction limit for prior contributors only was enabled in a repository Users that are not prior contributors, collaborators or organization members were unable to interact with a repository for a set duration.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, operation_type, created_at
Reference: /communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository

repo.config.enable_sockpuppet_disallowed: The interaction limit for existing users was enabled in a repository New users aren't able to interact with a repository for a set duration Existing users of the repository, contributors, collaborators or organization members are able to interact with a repository.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, operation_type, created_at
Reference: /communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository

repo.configure_self_hosted_jit_runner: A new just-in-time GitHub Actions self-hosted runner was configured
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, oauth_application_id, public_repo, created_at, operation_type
Reference: /rest/actions/self-hosted-runners#create-configuration-for-a-just-in-time-runner-for-a-repository

repo.create: A repository was created.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, visibility, operation_type, request_category, created_at, oauth_application_id, request_method, public_repo, actor_is_bot
Reference: /repositories/creating-and-managing-repositories/creating-a-new-repository

repo.create_actions_secret: A GitHub Actions secret was created for a repository.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, key, operation_type, created_at
Reference: Using secrets in GitHub Actions

repo.create_actions_variable: A GitHub Actions variable was created for a repository.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, key, visibility, public_repo, created_at, operation_type
Reference: Store information in variables

repo.create_integration_secret: A Codespaces or Dependabot secret was created for a repository.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, key, visibility, integration, operation_type, created_at, public_repo

repo.destroy: A repository was deleted.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, operation_type, request_category, visibility, created_at, request_method, oauth_application_id, actor_is_bot
Reference: /repositories/creating-and-managing-repositories/deleting-a-repository

repo.pages_cname: A GitHub Pages custom domain was modified in a repository.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, visibility, cname, created_at, operation_type, old_cname

repo.pages_create: A GitHub Pages site was created.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, visibility, operation_type, created_at

repo.pages_destroy: A GitHub Pages site was deleted.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, created_at, visibility, operation_type

repo.pages_https_redirect_disabled: HTTPS redirects were disabled for a GitHub Pages site.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, visibility, operation_type, created_at

repo.pages_https_redirect_enabled: HTTPS redirects were enabled for a GitHub Pages site.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, created_at, visibility, operation_type

repo.pages_private: A GitHub Pages site visibility was changed to private.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, visibility, operation_type, created_at

repo.pages_public: A GitHub Pages site visibility was changed to public.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, visibility, operation_type, created_at

repo.pages_soft_delete: A GitHub Pages site was soft-deleted because its owner's plan changed.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, visibility, public_repo, created_at, operation_type

repo.pages_soft_delete_restore: A GitHub Pages site that was previously soft-deleted was restored.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, visibility, public_repo, created_at, operation_type

repo.pages_source: A GitHub Pages source was modified.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, operation_type, visibility, created_at

repo.register_self_hosted_runner: A new self-hosted runner was registered.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, operation_type, created_at
Reference: Adding self-hosted runners

repo.remove_actions_secret: A GitHub Actions secret was deleted for a repository.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, key, operation_type, created_at
Reference: Using secrets in GitHub Actions

repo.remove_actions_variable: A GitHub Actions variable was deleted for a repository.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, key, public_repo, created_at, operation_type
Reference: Store information in variables

repo.remove_integration_secret: A Codespaces or Dependabot secret was deleted for a repository.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, key, integration, operation_type, created_at, public_repo

repo.remove_member: A collaborator was removed from a repository.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, created_at, operation_type, visibility
Reference: Removing a collaborator from a personal repository

repo.remove_self_hosted_runner: A self-hosted runner was removed.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, operation_type, created_at
Reference: Removing self-hosted runners

repo.remove_topic: A topic was removed from a repository.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, topic, operation_type, created_at

repo.rename: A repository was renamed.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, old_name, created_at, operation_type, visibility
Reference: /repositories/creating-and-managing-repositories/renaming-a-repository

repo.set_actions_cache_retention_policy: The cache retention policy for GitHub Actions was set for a repository.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, visibility, public_repo, created_at, operation_type, actor_is_bot
Reference: /repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository

repo.set_actions_cache_storage_policy: The cache storage policy for GitHub Actions was set for a repository.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, visibility, public_repo, created_at, operation_type, actor_is_bot
Reference: /repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository

repo.set_actions_fork_pr_approvals_policy: The setting for requiring approvals for workflows from public forks was changed for a repository.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, visibility, policy, created_at, operation_type, public_repo
Reference: /repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#configuring-required-approval-for-workflows-from-public-forks

repo.set_actions_private_fork_pr_approvals_policy: The policy for requiring approval for fork pull request workflows from collaborators without write access to private repos was changed for a repository.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, visibility, policy, public_repo, created_at, operation_type
Reference: /repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#enabling-workflows-for-forks-of-private-repositories

repo.set_actions_retention_limit: The retention period for GitHub Actions artifacts and logs in a repository was changed.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, visibility, limit, operation_type, created_at
Reference: /repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#configuring-the-retention-period-for-github-actions-artifacts-and-logs-in-your-repository

repo.set_default_workflow_permissions: The default permissions granted to the GITHUB_TOKEN when running workflows were changed for a repository.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, visibility, public_repo, created_at, operation_type
Reference: /repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#setting-the-permissions-of-the-github_token-for-your-repository

repo.set_fork_pr_workflows_policy: Triggered when the policy for workflows on private repository forks is changed.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, visibility, policy, operation_type, created_at
Reference: /repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#enabling-workflows-for-private-repository-forks

repo.set_workflow_permission_can_approve_pr: The policy for allowing GitHub Actions to create and approve pull requests was changed for a repository.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, visibility, public_repo, created_at, operation_type
Reference: /repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#preventing-github-actions-from-creating-or-approving-pull-requests

repo.staff_unlock: An enterprise owner or GitHub staff (with permission from a repository administrator) temporarily unlocked the repository.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, created_at, operation_type

repo.temporary_access_granted: Temporary access was enabled for a repository.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, public_repo, created_at, operation_type
Reference: Accessing user-owned repositories in your enterprise

repo.transfer: A user accepted a request to receive a transferred repository.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, owner, old_user, operation_type, created_at, visibility, repo_was
Reference: /repositories/creating-and-managing-repositories/transferring-a-repository

repo.transfer_outgoing: A repository was transferred to another repository network.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, new_nwo, visibility, created_at, operation_type, public_repo

repo.transfer_start: A user sent a request to transfer a repository to another user or organization.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, operation_type, created_at, visibility

repo.unarchived: A repository was unarchived.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, operation_type, created_at, visibility
Reference: /repositories/archiving-a-github-repository

repo.update_actions_access_settings: The setting to control how a repository was used by GitHub Actions workflows in other repositories was changed.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, visibility, policy, old_policy, created_at, operation_type

repo.update_actions_secret: A GitHub Actions secret was updated for a repository.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, oauth_application_id, key, operation_type, created_at
Reference: Using secrets in GitHub Actions

repo.update_actions_settings: A repository administrator changed GitHub Actions policy settings for a repository.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, visibility, operation_type, created_at, new_policy, old_policy, updated_access_policy, actor_is_bot

repo.update_actions_variable: A GitHub Actions variable was updated for a repository.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, key, visibility, public_repo, created_at, operation_type
Reference: Store information in variables

repo.update_default_branch: The default branch for a repository was changed.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, visibility, operation_type, created_at, actor_is_bot

repo.update_integration_secret: A Codespaces or Dependabot secret was updated for a repository.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, key, visibility, integration, operation_type, created_at, public_repo

repo.update_member: A user's permission to a repository was changed.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, created_at, oauth_application_id, operation_type, visibility, old_permission, old_base_role, old_repo_permission, old_repo_base_role, new_repo_base_role, new_repo_permission, actor_is_bot

repository_image

repository_image.create: An image to represent a repository was uploaded.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, operation_type, created_at, content_type

repository_image.destroy: An image to represent a repository was deleted.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, content_type, created_at, operation_type

repository_invitation

repository_invitation.accept: An invitation to join a repository was accepted.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, created_at, invitee, operation_type, inviter

repository_invitation.cancel: An invitation to join a repository was canceled.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, inviter, operation_type, invitee, created_at

repository_invitation.create: An invitation to join a repository was sent.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, invitee, inviter, created_at, operation_type

repository_invitation.reject: An invitation to join a repository was declined.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, invitee, operation_type, created_at, inviter

repository_ruleset

repository_ruleset.create: A repository ruleset was created.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, name, public_repo, created_at, operation_type, ruleset_id, ruleset_name, ruleset_enforcement, ruleset_source_type, ruleset_rules, ruleset_conditions, ruleset_bypass_actors
Reference: /repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/creating-rulesets-for-a-repository

repository_ruleset.destroy: A repository ruleset was deleted.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, name, public_repo, created_at, operation_type, ruleset_id, ruleset_name, ruleset_enforcement, ruleset_source_type, ruleset_rules, ruleset_bypass_actors
Reference: /repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/managing-rulesets-for-a-repository#deleting-a-ruleset

repository_ruleset.update: A repository ruleset was edited.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, old_name, public_repo, created_at, operation_type, ruleset_id, ruleset_name, ruleset_enforcement, ruleset_source_type, ruleset_rules_updated, ruleset_conditions_added, ruleset_conditions_deleted, ruleset_old_enforcement, ruleset_rules_added, ruleset_rules_deleted, ruleset_old_name, ruleset_conditions_updated, ruleset_bypass_actors_added, ruleset_bypass_actors_deleted, ruleset_bypass_actors_updated, actor_is_bot
Reference: /repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/managing-rulesets-for-a-repository#editing-a-ruleset

security_key

security_key.register: A security key was registered for an account.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, created_at, operation_type

security_key.remove: A security key was removed from an account.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, operation_type, created_at

social_identity

social_identity.linked: A user linked a social identity to their account.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, created_at, operation_type

social_identity.unlinked: A user unlinked a social identity from their account.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, created_at, operation_type

social_identity.unlinked_all: A user unlinked all social identities from their account.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, created_at, operation_type

sub_issues

sub_issues.parent_issue_add: A parent issue was added to an issue.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, title, public_repo, created_at, operation_type, actor_is_bot

sub_issues.parent_issue_remove: A parent issue was removed from an issue.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, title, public_repo, created_at, operation_type, actor_is_bot

sub_issues.sub_issue_add: A sub-issue was added to an issue.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, title, public_repo, created_at, operation_type, actor_is_bot

sub_issues.sub_issue_remove: A sub-issue was removed from an issue.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, title, public_repo, created_at, operation_type, actor_is_bot

successor_invitation

successor_invitation.accept: Triggered when you accept a succession invitation.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, operation_type, created_at
Reference: Maintaining ownership continuity of your personal account's repositories

successor_invitation.cancel: Triggered when you cancel a succession invitation.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, operation_type, created_at
Reference: Maintaining ownership continuity of your personal account's repositories

successor_invitation.create: Triggered when you create a succession invitation.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, operation_type, created_at
Reference: Maintaining ownership continuity of your personal account's repositories

successor_invitation.decline: Triggered when you decline a succession invitation.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, operation_type, created_at
Reference: Maintaining ownership continuity of your personal account's repositories

successor_invitation.revoke: Triggered when you revoke a succession invitation.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, operation_type, created_at
Reference: Maintaining ownership continuity of your personal account's repositories

trusted_device

trusted_device.register: A new trusted device was added.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, operation_type, created_at

trusted_device.remove: A trusted device was removed.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, operation_type, created_at

two_factor_authentication

two_factor_authentication.add_factor: A secondary authentication factor was added to a user account.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, created_at, operation_type
Reference: /authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication

two_factor_authentication.disabled: Two-factor authentication was disabled for a user account.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, created_at, operation_type
Reference: Disabling two-factor authentication for your personal account

two_factor_authentication.enabled: Two-factor authentication was enabled for a user account.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, operation_type, created_at
Reference: Configuring two-factor authentication

two_factor_authentication.password_reset_fallback_sms: A one-time password code was sent to a user account fallback phone number.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, operation_type, created_at

two_factor_authentication.recovery_codes_regenerated: Two factor recovery codes were regenerated for a user account.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, operation_type, created_at

two_factor_authentication.remove_factor: A secondary authentication factor was removed from a user account.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, created_at, operation_type
Reference: /authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication

two_factor_authentication.sign_in_fallback_sms: A one-time password code was sent to a user account fallback phone number.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, operation_type, created_at

two_factor_authentication.update_fallback: The two-factor authentication fallback for a user account was changed.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, created_at, operation_type

user

user.add_email: An email address was added to a user account.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, operation_type, email, created_at
Reference: Adding an email address to your GitHub account

user.async_delete: An asynchronous job was started to destroy a user account, eventually triggering a user.delete event.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, created_at, operation_type

user.audit_log_export: Audit log entries were exported.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, operation_type, created_at

user.block_user: A user was blocked by another user.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, blocked_user, operation_type, created_at

user.change_password: A user changed their password.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, operation_type, created_at

user.codespaces_trusted_repo_access_granted: Triggered when you allow the codespaces you create for a repository to access other repositories owned by your personal account.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, operation_type, created_at
Reference: Managing access to other repositories within your codespace

user.codespaces_trusted_repo_access_revoked: Triggered when you disallow the codespaces you create for a repository to access other repositories owned by your personal account.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, operation_type, created_at
Reference: Managing access to other repositories within your codespace

user.create: A new user account was created.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, email, operation_type, created_at

user.create_integration_secret: A user secret for Codespaces was created.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, key, visibility, integration, created_at, operation_type

user.creation_rate_limit_exceeded: The rate of creation of user accounts, applications, issues, pull requests or other resources exceeded the configured rate limits, or too many users were followed too quickly.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, created_at, operation_type, oauth_application_id

user.delete: A user account was destroyed by an asynchronous job.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, operation_type, created_at

user.demote: A site administrator was demoted to an ordinary user account.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, oauth_application_id, created_at, operation_type

user.destroy: A user deleted his or her account, triggering user.async_delete.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, created_at, operation_type

user.failed_login: A user tried to sign in with an incorrect username, password, or two-factor authentication code.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, operation_type, created_at

user.forgot_password: A user requested a password reset.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, operation_type, email, created_at
Reference: /authentication/keeping-your-account-and-data-secure/updating-your-github-access-credentials

user.hide_private_contributions_count: A user changed the visibility of their private contributions. The number of contributions to private repositories on the user's profile are now hidden.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, created_at, operation_type
Reference: Manage visibility settings for private contributions

user.login: A user signed in.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, operation_type, created_at, passkey_nickname

user.logout: A user signed out.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, created_at, operation_type

user.new_device_used: A user signed in from a new device.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, operation_type, created_at

user.promote: An ordinary user account was promoted to a site administrator.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, created_at, oauth_application_id, operation_type

user.recreate: A user's account was restored.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, created_at, operation_type

user.remove_email: An email address was removed from a user account.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, operation_type, created_at, email

user.remove_integration_secret: A user secret for Codespaces was deleted.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, key, integration, created_at, operation_type

user.rename: A username was changed.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, old_login, created_at, operation_type

user.reset_password: A user reset their account password.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, created_at, operation_type

user.show_private_contributions_count: A user changed the visibility of their private contributions. The number of contributions to private repositories on the user's profile are now shown.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, operation_type, created_at
Reference: Manage visibility settings for private contributions

user.sign_in_from_unrecognized_device: A user signed in from an unrecognized device.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, operation_type, created_at

user.sign_in_from_unrecognized_device_and_location: A user signed in from an unrecognized device and location.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, created_at, operation_type

user.suspend: A user account was suspended.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, oauth_application_id, operation_type, created_at

user.two_factor_challenge_failure: A 2FA challenge issued for a user account failed.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, operation_type, created_at

user.two_factor_challenge_success: A 2FA challenge issued for a user account succeeded.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, operation_type, created_at

user.two_factor_recover: A user used their 2FA recovery codes.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, operation_type, created_at

user.two_factor_recovery_codes_downloaded: A user downloaded 2FA recovery codes for their account.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, operation_type, created_at

user.two_factor_recovery_codes_printed: A user printed 2FA recovery codes for their account.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, operation_type, created_at

user.two_factor_recovery_codes_viewed: A user viewed 2FA recovery codes for their account.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, created_at, operation_type

user.two_factor_requested: A user was prompted for a two-factor authentication code.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, created_at, operation_type
Reference: /authentication/securing-your-account-with-two-factor-authentication-2fa/accessing-github-using-two-factor-authentication

user.unblock_user: A user was unblocked by another user.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, blocked_user, operation_type, created_at

user.unsuspend: A user account was unsuspended.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, oauth_application_id, operation_type, created_at

user.update_integration_secret: A user secret for Codespaces was updated.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, key, visibility, integration, created_at, operation_type

user_email

user_email.confirm_claim: An enterprise managed user claimed an email address.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, created_at, operation_type, actor_is_bot

user_status

user_status.destroy: Triggered when you clear the status on your profile.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, message, created_at, limited_availability, emoji, operation_type

user_status.update: Triggered when you set or change the status on your profile.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, limited_availability, message, created_at, emoji, operation_type
Reference: Personalize your profile

workflows

workflows.approve_workflow_job: A workflow job was approved.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, workflow_run_id, run_number, operation_type, created_at, public_repo
Reference: Reviewing deployments

workflows.delete_workflow_run: A workflow run was deleted.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, operation_type, created_at, workflow_run_id, started_at, head_branch, head_sha, trigger_id
Reference: Deleting a workflow run

workflows.disable_workflow: A workflow was disabled.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, workflow_id, operation_type, created_at, public_repo, actor_is_bot

workflows.enable_workflow: A workflow was enabled, after previously being disabled by disable_workflow.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, workflow_id, operation_type, created_at, public_repo

workflows.pin_workflow: A workflow was pinned.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, public_repo, workflow_id, created_at, operation_type, actor_is_bot

workflows.reject_workflow_job: A workflow job was rejected.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, workflow_run_id, run_number, operation_type, created_at, public_repo
Reference: Reviewing deployments

workflows.unpin_workflow: A workflow was unpinned after previously being pinned.
Fields: @timestamp, _document_id, action, actor, actor_id, business, business_id, hashed_token, org, org_id, programmatic_access_type, repo, repo_id, repository, repository_id, request_access_security_header, request_id, token_id, token_scopes, user, user_id, user_agent, public_repo, workflow_id, created_at, operation_type, actor_is_bot

Security log events

In this article