Data Source: GitHub Enterprise Audit Logs

Date: 2026-05-13

ID: 8a4d656f-8801-4a2c-ae10-553d2696a59f

Author: Patrick Bareiss, Splunk

Description

Data source object for GitHub Enterprise logs using Audit log streaming as described in this documentation https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-streaming-to-splunk using a Splunk HTTP Event Collector.

Details

Property	Value
Source	`http:github`
Sourcetype	`httpevent`

Name ▲▼	Technique ▲▼	Type ▲▼
GitHub Enterprise Disable IP Allow List	Supply Chain Compromise, Disable or Modify Tools	Anomaly
GitHub Enterprise Register Self Hosted Runner	Supply Chain Compromise, Disable or Modify Tools	Anomaly
GitHub Enterprise Repository Deleted	Supply Chain Compromise, Data Destruction	Anomaly
GitHub Enterprise Delete Branch Ruleset	Supply Chain Compromise, Disable or Modify Tools	Anomaly
GitHub Enterprise Disable Audit Log Event Stream	Supply Chain Compromise, Disable or Modify Cloud Log	Anomaly
GitHub Enterprise Modify Audit Log Event Stream	Supply Chain Compromise, Disable or Modify Cloud Log	Anomaly
GitHub Enterprise Disable Dependabot	Supply Chain Compromise, Disable or Modify Tools	Anomaly
GitHub Enterprise Pause Audit Log Event Stream	Supply Chain Compromise, Disable or Modify Cloud Log	Anomaly
GitHub Enterprise Disable Classic Branch Protection Rule	Supply Chain Compromise, Disable or Modify Tools	Anomaly
GitHub Enterprise Remove Organization	Supply Chain Compromise, Data Destruction	Anomaly
GitHub Enterprise Disable 2FA Requirement	Supply Chain Compromise, Disable or Modify Tools	Anomaly
GitHub Enterprise Repository Archived	Supply Chain Compromise, Data Destruction	Anomaly

Supported Apps

Splunk Add-on for Github (version 3.2.0)

Event Fields

+ Fields

  <span class="pill kill-chain">_document_id</span>
  
  <span class="pill kill-chain">action</span>
  
  <span class="pill kill-chain">actor</span>
  
  <span class="pill kill-chain">actor_id</span>
  
  <span class="pill kill-chain">actor_is_bot</span>
  
  <span class="pill kill-chain">business</span>
  
  <span class="pill kill-chain">business_id</span>
  
  <span class="pill kill-chain">created_at</span>
  
  <span class="pill kill-chain">operation_type</span>
  
  <span class="pill kill-chain">org</span>
  
  <span class="pill kill-chain">org_id</span>
  
  <span class="pill kill-chain">public_repo</span>
  
  <span class="pill kill-chain">repo</span>
  
  <span class="pill kill-chain">repo_id</span>
  
  <span class="pill kill-chain">request_access_security_header</span>
  
  <span class="pill kill-chain">user</span>
  
  <span class="pill kill-chain">user_agent</span>
  
  <span class="pill kill-chain">user_id</span>
  
</div>

Example Log

1{ @timestamp: 1736850926658 _document_id: fHPRFHOMZNXLxTZrk1w2IQ action: repository_vulnerability_alerts.disable actor: P4T12ICK actor_id: 8362376 actor_ip: 84.128.62.13 actor_is_bot: false actor_location: { [+] } business: pb business_id: 273781 created_at: 1736850926658 operation_type: modify org: pbtest2 org_id: 194489467 public_repo: false repo: pbtest2/pbtest5 repo_id: 916529548 request_access_security_header: null user: P4T12ICK user_agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36 user_id: 8362376 }

Source: GitHub | Version: 2

Data Source: GitHub Enterprise Audit Logs

Description

Details

Related Detections

Supported Apps

Event Fields

Example Log