Data Source: GitHub Enterprise Audit Logs

Date: 2025-01-15

ID: 8a4d656f-8801-4a2c-ae10-553d2696a59f

Author: Patrick Bareiss, Splunk

Description

Data source object for GitHub Enterprise logs using Audit log streaming as described in this documentation https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-streaming-to-splunk using a Splunk HTTP Event Collector.

Details

Property	Value
Source	`http:github`
Sourcetype	`httpevent`

Name ▲▼	Technique ▲▼	Type ▲▼
GitHub Enterprise Delete Branch Ruleset	Disable or Modify Tools, Supply Chain Compromise	Anomaly
GitHub Enterprise Disable 2FA Requirement	Disable or Modify Tools, Supply Chain Compromise	Anomaly
GitHub Enterprise Disable Audit Log Event Stream	Disable or Modify Cloud Logs, Supply Chain Compromise	Anomaly
GitHub Enterprise Disable Classic Branch Protection Rule	Disable or Modify Tools, Supply Chain Compromise	Anomaly
GitHub Enterprise Disable Dependabot	Disable or Modify Tools, Supply Chain Compromise	Anomaly
GitHub Enterprise Disable IP Allow List	Disable or Modify Tools, Supply Chain Compromise	Anomaly
GitHub Enterprise Modify Audit Log Event Stream	Disable or Modify Cloud Logs, Supply Chain Compromise	Anomaly
GitHub Enterprise Pause Audit Log Event Stream	Disable or Modify Cloud Logs, Supply Chain Compromise	Anomaly
GitHub Enterprise Register Self Hosted Runner	Disable or Modify Tools, Supply Chain Compromise	Anomaly
GitHub Enterprise Remove Organization	Data Destruction, Supply Chain Compromise	Anomaly
GitHub Enterprise Repository Archived	Data Destruction, Supply Chain Compromise	Anomaly
GitHub Enterprise Repository Deleted	Data Destruction, Supply Chain Compromise	Anomaly

Supported Apps

Splunk Add-on for Github (version 3.2.0)

Event Fields

+ Fields

  <span class="pill kill-chain">_document_id</span>
  
  <span class="pill kill-chain">action</span>
  
  <span class="pill kill-chain">actor</span>
  
  <span class="pill kill-chain">actor_id</span>
  
  <span class="pill kill-chain">actor_is_bot</span>
  
  <span class="pill kill-chain">business</span>
  
  <span class="pill kill-chain">business_id</span>
  
  <span class="pill kill-chain">created_at</span>
  
  <span class="pill kill-chain">operation_type</span>
  
  <span class="pill kill-chain">org</span>
  
  <span class="pill kill-chain">org_id</span>
  
  <span class="pill kill-chain">public_repo</span>
  
  <span class="pill kill-chain">repo</span>
  
  <span class="pill kill-chain">repo_id</span>
  
  <span class="pill kill-chain">request_access_security_header</span>
  
  <span class="pill kill-chain">user</span>
  
  <span class="pill kill-chain">user_agent</span>
  
  <span class="pill kill-chain">user_id</span>
  
</div>

Example Log

1{ @timestamp: 1736850926658 _document_id: fHPRFHOMZNXLxTZrk1w2IQ action: repository_vulnerability_alerts.disable actor: P4T12ICK actor_id: 8362376 actor_ip: 84.128.62.13 actor_is_bot: false actor_location: { [+] } business: pb business_id: 273781 created_at: 1736850926658 operation_type: modify org: pbtest2 org_id: 194489467 public_repo: false repo: pbtest2/pbtest5 repo_id: 916529548 request_access_security_header: null user: P4T12ICK user_agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36 user_id: 8362376 }

Source: GitHub | Version: 1

Data Source: GitHub Enterprise Audit Logs

Description

Details

Related Detections

Supported Apps

Event Fields

Example Log